Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2732

CSFLE/QE KMIP support "delegated" protocol

    • Type: Icon: Epic Epic
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Component/s: Client Side Encryption
    • None
    • Hide

      Summary of necessary driver changes

      • Use libmongocrypt containing changes for MONGOCRYPT-614. MONGOCRYPT-614 is available in libmongocrypt 1.10.0. Binaries are available in this Evergreen upload-all task to test.
      • Document the new "delegated" option for the KMIP masterKey in ClientEncryption::createDataKey.
      • C driver required no other changes.

      Commits for syncing spec/prose tests
      (and/or refer to an existing language POC if needed)

      • Spec tests were added in 57b77d8 and amended in dc6eb4c
      • No prose tests
      Show
      Summary of necessary driver changes Use libmongocrypt containing changes for MONGOCRYPT-614 . MONGOCRYPT-614 is available in libmongocrypt 1.10.0. Binaries are available in this Evergreen upload-all task to test. Document the new "delegated" option for the KMIP masterKey in ClientEncryption::createDataKey. C driver required no other changes. Commits for syncing spec/prose tests (and/or refer to an existing language POC if needed) Spec tests were added in 57b77d8 and amended in dc6eb4c No prose tests
    • To Do
    • CSFLE/QE KMIP support for encrypt/decrypt
    • 0
    • 0
    • 0
    • 100
    • Hide

      2024-03-14:

      What was accomplished since the last update?

      • Updated libmongocrypt PR and got approval. Awaiting spec approval.
        What goals are we targeting for the next two weeks?
      • Merge spec.

      2024-02-05: 

      Status update: 

      • libmongocrypt and C driver implementation working.
      • Working on specification tests.

      Show
      2024-03-14: What was accomplished since the last update? Updated libmongocrypt PR and got approval. Awaiting spec approval. What goals are we targeting for the next two weeks? Merge spec. 2024-02-05:  Status update:  libmongocrypt and C driver implementation working. Working on specification tests.
    • Needed
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-4817 Fixed 1.27.0
      CXX-2813 Ready for Work
      CSHARP-4941 Done 2.28.0
      GODRIVER-3103 Ready for Work 2.1.0
      JAVA-5300 Fixed 5.2.0
      NODE-5853 Fixed 6.8.0
      MOTOR-1236 Duplicate
      PYTHON-4164 Fixed 4.9
      PHPLIB-1375 Fixed 1.20.0
      RUBY-3383 Backlog
      RUST-1830 Fixed 3.0.0
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-4817 Fixed 1.27.0 CXX-2813 Ready for Work CSHARP-4941 Done 2.28.0 GODRIVER-3103 Ready for Work 2.1.0 JAVA-5300 Fixed 5.2.0 NODE-5853 Fixed 6.8.0 MOTOR-1236 Duplicate PYTHON-4164 Fixed 4.9 PHPLIB-1375 Fixed 1.20.0 RUBY-3383 Backlog RUST-1830 Fixed 3.0.0

      Summary

      Previous versions of the KMIP spec did not support encrypt and decrypt functionality.  It was added in 1.2 but even those using 1.2 didn't necessarily support the encrypt/decrypt calls.  For CSFLE and Queryable Encryption, that means that the CMK is what needs to be transported back and forth from the key provider to the driver, which is less than ideal from a security standpoint because you are exposing a wrapping key.  If that wrapping key is exposed all dek encrypted with it can be decrypted.  HashiCorp Vault Enterprise added support for encrypt/decrypt in their 1.13 version, at our request, so that we can use KMIP like we do for the other key providers, which is sending the cleartext DEK to the key provider for encryption and sending encrypted DEK for decryption.

      Cast of Characters

      Engineering Lead:
      Document Author:
      POCers:
      Product Owner:
      Program Manager:
      Stakeholders:

      Channels & Docs

      Slack Channel

      [Scope Document|some.url]

      [Technical Design Document|some.url]

            Assignee:
            adrian.dole@mongodb.com Adrian Dole
            Reporter:
            cynthia.braund@mongodb.com Cynthia Braund (Inactive)
            Kevin Albertson Kevin Albertson
            Esha Bhargava Esha Bhargava
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: