Mongo CSFLE | Data Key rotation with local KMS provider | Encryption

Ishant_Tandulkar · September 6, 2023, 9:37am

I am using out of the box client side field level encryption feature of the Mongo Drivers in Java. We are able to get the field encrypted.
I am using the “Local” KMS provider for our implementation, where we have our own logic to create the master key and fetch it from our APIs to populate in the AutoEncryptionSettings.

But now we want to perform key rotations for security purposes.

For this I was exploring the ClientEncryption’s rewrapManyDataKey method →
[ClientEncryption (driver-sync 4.7.0 API) (mongodb.github.io)] ClientEncryption (driver-sync 4.7.0 API) (mongodb.github.io)

What we want to do here is to supply the new master key in the above method and let the data keys in the keyVault get re-encrypted with the newly supplied master key.

The official docs says that in case of “Local” KMS provider, the master key is not applicable for the rewrapManyDataKeyOptions parameter.
Does it mean that the rewrapping of the data keys with the new master key is not possible for the “Local” kms provider?
Is there a solution for enabling key rotation for the “Local” kmsProvider.

Cynthia_Braund · September 21, 2023, 6:13pm

Hello Ishant and welcome to the MongoDB Community,

Rewrapping of local keys is in the roadmap and should be available in the coming months.

Thank you,

Cynthia

XH_ZY · March 28, 2024, 8:30am

Is it available? Or when is the expected launch date for the functionality? Our team is facing a similar situation and we’re hoping for a resolution.

Kevin_Albertson · March 28, 2024, 5:46pm

Hi @XH_ZY, it is available in some drivers, and being planned for others. I suggest watching https://jira.mongodb.org/browse/DRIVERS-2731 for updates. Currently it is released in C driver 1.26.0, and in the upcoming release of pymongo 4.7.0.

Menita_Subramanian · August 28, 2024, 11:08am

Hi, I am looking for an update on this as well.
I have a simple application that requires storing some sensitive data. I opted for a localy managed key to encrypt fields in MongoDB. I am able to encrypt and decrypt data in the DB. But I am having a hard time rotating 'local’s keys. I am using .NET driver v 2.27.0. Is this feature available in this version?
In my test application, when I try re-wrapping using new ‘local’ key I get an error

Found existing DEK for <DBName>.<Entity>
fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
      An unhandled exception has occurred while executing the request.
      MongoDB.Driver.Encryption.MongoEncryptionException: Encryption related exception: Unexpected field: 'key'.
       ---> MongoDB.Libmongocrypt.CryptException: Unexpected field: 'key'
         at MongoDB.Libmongocrypt.Status.ThrowExceptionIfNeeded()
         at MongoDB.Libmongocrypt.ContextSafeHandle.Check(Status status, Boolean success)
         at MongoDB.Libmongocrypt.PinnedBinary.RunAsPinnedBinary[THandle](THandle handle, Byte[] bytes, Status status, Func`3 handleFunc)
         at MongoDB.Libmongocrypt.KmsKeyId.SetCredentials(ContextSafeHandle context, Status status)
         at MongoDB.Libmongocrypt.CryptClient.StartRewrapMultipleDataKeysContext(KmsKeyId kmsKey, Byte[] filter)
         at MongoDB.Driver.Encryption.ExplicitEncryptionLibMongoCryptController.RewrapManyDataKey(FilterDefinition`1 filter, RewrapManyDataKeyOptions options, CancellationToken cancellationToken).

Here is the function I am calling to rewrap keys

{
    var client = CreateClient();
    var result = "";
    //kms provider: local
    var kmsProviders = new KmsProviders(_secureConnectionSettings.EncryptionMasterKey); //new key

    var keyVaultNamespace = CollectionNamespace.FromFullName(
        $"{_secureConnectionSettings.EncryptionDatabaseName}.__{_secureConnectionSettings.EncryptionKeyVaultCollection}");

    // Get the key vault collection
    var keyVaultCollection = client.GetDatabase(_secureConnectionSettings.EncryptionDatabaseName)
        .GetCollection<BsonDocument>("__KeyVault");

    // Rewrap all keys in the key vault collection
    var encryptionOptions = new ClientEncryptionOptions(client, keyVaultNamespace, kmsProviders.Providers);
    using (var clientEncryption = new ClientEncryption(encryptionOptions))
    {
        var filter = Builders<BsonDocument>.Filter.Empty; // To rewrap all keys, use an empty filter
        var updateOptions = new RewrapManyDataKeyOptions("local", new BsonDocument
        {
            {
                "key",
                "<new key>"
            } // New CMK ARN for local
        });


        // Rewrap the keys
        var rewrapResult = clientEncryption.RewrapManyDataKey(filter, updateOptions);

        result = $"Rewrapped {rewrapResult.BulkWriteResult.ModifiedCount} keys.";
    }
  
}

I found an example of the above on the web but I am not sure if the usage is correct. For one the line is calling the new master key,
var kmsProviders = new KmsProviders(_secureConnectionSettings.EncryptionMasterKey);

and the kmsProvider is used as a parameter in
var encryptionOptions = new ClientEncryptionOptions(client, keyVaultNamespace, kmsProviders.Providers);

should it be the old masterkey or the new key. Another point I wanted to check is KMSProvider is Dictionary<string, IReadOnlyDictionary<string, object>>(). When I add the new masterkey I am replacing the the old key with the new key before rotation. I am not certain if that was intended.

Rishit_Bhatia · September 6, 2024, 6:54pm

Hi @Menita_Subramanian,

This feature for the .NET/C# driver will be available in our next major version (3.0.0) slated for release in early October. You can track its progress here. Hope that helps clarify the timelines.

Thanks,

Rishit.

Menita_Subramanian · October 22, 2024, 11:42am

Hi, I got the most resent release v 3.0. After reading upgrade documentation, I found out that there is new MongoDB.Driver.Encryption package. I have that installed. However, there is still a conflict with MongoDB.Driver.Core.Extensions.DiagnosticSources 1.5.0 (latest) package. This package contains a reference to MongoDb.Driver.Core 2.28. The max version available is 2.30 and both version produce the below error. So, unless These packages are upgraded, I cant get rid of this compilation error and actually try out the key rotation feature

Error CS0433 The type ‘CollectionNamespace’ exists in both ‘MongoDB.Driver.Core, Version=2.28.0.0, Culture=neutral, PublicKeyToken=94992a530f44e321’ and ‘MongoDB.Driver, Version=3.0.0.0, Culture=neutral, PublicKeyToken=94992a530f44e321’

Tushar_Rusia · December 28, 2024, 1:27pm

Is the local masterKey rotation available for nodejs ?