-
Type: Epic
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Component/s: Client Side Encryption
-
None
Summary
Previous versions of the KMIP spec did not support encrypt and decrypt functionality. It was added in 1.2 but even those using 1.2 didn't necessarily support the encrypt/decrypt calls. For CSFLE and Queryable Encryption, that means that the CMK is what needs to be transported back and forth from the key provider to the driver, which is less than ideal from a security standpoint because you are exposing a wrapping key. If that wrapping key is exposed all dek encrypted with it can be decrypted. HashiCorp Vault Enterprise added support for encrypt/decrypt in their 1.13 version, at our request, so that we can use KMIP like we do for the other key providers, which is sending the cleartext DEK to the key provider for encryption and sending encrypted DEK for decryption.
Cast of Characters
Engineering Lead:
Document Author:
POCers:
Product Owner:
Program Manager:
Stakeholders:
Channels & Docs
Slack Channel
[Scope Document|some.url]
[Technical Design Document|some.url]
- depends on
-
MONGOCRYPT-614 Add KMIP delegated encryption mode
- Closed
- split to
-
RUBY-3383 CSFLE/QE KMIP support "delegated" protocol
- Backlog
-
CXX-2813 CSFLE/QE KMIP support "delegated" protocol
- Ready for Work
-
GODRIVER-3103 CSFLE/QE KMIP support "delegated" protocol
- Ready for Work
-
CDRIVER-4817 CSFLE/QE KMIP support "delegated" protocol
- Closed
-
CSHARP-4941 CSFLE/QE KMIP support "delegated" protocol
- Closed
-
JAVA-5300 CSFLE/QE KMIP support "delegated" protocol
- Closed
-
MOTOR-1236 CSFLE/QE KMIP support "delegated" protocol
- Closed
-
NODE-5853 CSFLE/QE KMIP support "delegated" protocol
- Closed
-
PHPLIB-1375 Support "delegated" protocol for CSFLE/QE KMIP
- Closed
-
PYTHON-4164 CSFLE/QE KMIP support "delegated" protocol
- Closed
-
RUST-1830 CSFLE/QE KMIP support "delegated" protocol
- Closed