Uploaded image for project: 'Percona Server for MongoDB'
  1. Percona Server for MongoDB
  2. PSMDB-1129

Prevent PSMDB from starting if the configured encryption key doesn't match the one used for data encryption

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • Medium
    • Resolution: Fixed
    • 4.4.15-15, 5.0.10-9
    • 4.4.17-17, 5.0.13-11, 6.0.2-1, 4.2.23-23
    • None
    • None

    Description

      Hi,

      STR:
      1. Start PSMDB for the first time with kmipKeyIdentifier 1

      mongod --enableEncryption  --kmipServerName 192.168.4.51 --kmipClientCertificateFile mongod.crt --kmipServerCAFile ca.crt --kmipKeyIdentifier 1

{"t":{"$date":"2022-08-24T06:39:21.040-04:00"},"s":"I",  "c":"STORAGE",  "id":29108,   "ctx":"initandlisten","msg":"Master key has been read from the KMIP server","attr":{"kmipMasterKeyId":"1"}}
{"t":{"$date":"2022-08-24T06:39:21.040-04:00"},"s":"I",  "c":"STORAGE",  "id":29037,   "ctx":"initandlisten","msg":"Initializing KeyDB with wiredtiger_open config: {cfg}","attr":{"cfg":"create,config_base=false,extensions=[local=(entry=percona_encryption_extension_init,early_load=true,config=(cipher=AES256-CBC,rotation=false))],encryption=(name=percona,keyid=\"\"),log=(enabled,file_max=5MB),transaction_sync=(enabled=true,method=fsync),"}}
{"t":{"$date":"2022-08-24T06:39:21.662-04:00"},"s":"I",  "c":"STORAGE",  "id":29039,   "ctx":"initandlisten","msg":"Encryption keys DB is initialized successfully"}

      2. Restart PSMDB with kmipKeyIdentifier 2

      Actual result
      DB is started, previous key is used

      mongod --enableEncryption  --kmipServerName 192.168.4.51 --kmipClientCertificateFile mongod.crt --kmipServerCAFile ca.crt --kmipKeyIdentifier 2

{"t":{"$date":"2022-08-24T06:40:07.609-04:00"},"s":"I",  "c":"STORAGE",  "id":22270,   "ctx":"initandlisten","msg":"Storage engine to use detected by data files","attr":{"dbpath":"/data/db","storageEngine":"wiredTiger"}}
{"t":{"$date":"2022-08-24T06:40:07.642-04:00"},"s":"I",  "c":"STORAGE",  "id":29108,   "ctx":"initandlisten","msg":"Master key has been read from the KMIP server","attr":{"kmipMasterKeyId":"1"}}
{"t":{"$date":"2022-08-24T06:40:07.642-04:00"},"s":"I",  "c":"STORAGE",  "id":29037,   "ctx":"initandlisten","msg":"Initializing KeyDB with wiredtiger_open config: {cfg}","attr":{"cfg":"create,config_base=false,extensions=[local=(entry=percona_encryption_extension_init,early_load=true,config=(cipher=AES256-CBC,rotation=false))],encryption=(name=percona,keyid=\"\"),log=(enabled,file_max=5MB),transaction_sync=(enabled=true,method=fsync),"}}
{"t":{"$date":"2022-08-24T06:40:08.223-04:00"},"s":"I",  "c":"STORAGE",  "id":29039,   "ctx":"initandlisten","msg":"Encryption keys DB is initialized successfully"}

      Expected result
      DB can't be started due to wrong key, as a sample - enterprise behavior:

      {"t":{"$date":"2022-08-24T10:44:26.407+00:00"},"s":"E",  "c":"STORAGE",  "id":24248,   "ctx":"initandlisten","msg":"Unable to retrieve key","attr":{"keyId":".system","error":{"code":2,"codeName":"BadValue","errmsg":"The KMIP key id 3 was provided, but the system is already configured with key id 4."}}}

      Attachments

        Activity

          People

            konstantin.trushin Konstantin Trushin
            sandra.romanchenko Sandra Romanchenko
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Smart Checklist