Docs Menu
Docs Home
/
データベース マニュアル
/
セキュリティ
/
暗号化
/
保管時の暗号化

Rotate Encryption Keys

項目一覧

Most regulatory requirements mandate that a managed key used to decrypt sensitive data must be rotated out and replaced with a new key once a year.

注意

曖昧さ回避

To roll over database keys configured with AES256-GCM cipher after a filesystem restore, see --eseDatabaseKeyRollover instead.

MongoDB provides two options for key rotation. You can rotate out the binary with a new instance that uses a new key. Or, if you are using a KMIP server for key management, you can rotate the CMK(カスタマー マスター キー).

Rotate a Replica Set Member

注意

書き込みクォーラムが変更されないように、一度に複数のレプリカセット ノードをローテーションしないでください。

For a replica set, to rotate out a member:

  1. Start a new mongod instance, configured to use a new key. Include the --replSet option with the name of the replica set as well as any other options specific to your configuration, such as --dbpath and --bind_ip.

    mongod --replSet myReplSet --enableEncryption \
    --kmipServerName <KMIP Server HostName> \
    --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

  2. 接続 mongosh to the replica set's primary.

  3. Add the instance to the replica set:

    rs.add( { host: <host:port> } )

    警告

    MongoDB 5.0 より前では、新しく追加されたセカンダリは、データの一貫性が確保されるまでは読み取りを処理できず、プライマリにもなれませんが、投票メンバーとしてカウントされます。MongoDB バージョン 5.0 より前のバージョンを実行中で、 votespriorityの設定が0より大きいセカンダリを追加すると、投票ノードの過半数がオンラインであるにもかかわらずプライマリを選出できない状況が発生する可能性があります。このような状況を回避するには、最初にpriority :0votes :0を使用して新しいセカンダリを追加することを検討してください。次に、 rs.status()を実行して、ノードがSECONDARY状態に移行したことを確認します。最後に、 rs.reconfig()を使用して優先順位と投票をアップデートします。

    During the initial sync process, the re-encryption of the data with an entirely new set of database keys as well as a new system key occurs.

  4. Remove the old node from the replica set and delete all its data. For instructions, see 自己管理型レプリカセットからのノードの削除

KMIP Master Key Rotation

If you are using a KMIP server for key management, you can rotate the CMK(カスタマー マスター キー), the only externally managed key. With the new master key, the internal keystore will be re-encrypted but the database keys will be otherwise left unchanged. This obviates the need to re-encrypt the entire data set.

  1. Rotate the master key for the secondary members of the replica set one at a time.

    1. Restart the secondary, including the --kmipRotateMasterKey option. Include any other options specific to your configuration, such as --bind_ip. If the member already includes the --kmipKeyIdentifier option, either update the --kmipKeyIdentifier option with the new key to use or omit to request a new key from the KMIP server:

      mongod --enableEncryption --kmipRotateMasterKey \
        --kmipServerName <KMIP Server HostName> \
        --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

      If using a configuration file, include the security.kmip.rotateMasterKey.

    2. Upon successful completion of the master key rotation and re-encryption of the database keystore, the mongod will exit.

    3. Restart the secondary without the --kmipRotateMasterKey parameter. Include any other options specific to your configuration, such as --bind_ip.

      mongod --enableEncryption --kmipServerName <KMIP Server HostName> \
        --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

      If using a configuration file, remove the security.kmip.rotateMasterKey setting.

  2. レプリカセットのプライマリを降格します。

    mongoshをプライマリに接続し、 rs.stepDown()を使用してプライマリを降格し、新しいプライマリの選出を強制します。

    rs.stepDown()

  3. When rs.status() shows that the primary has stepped down and another member has assumed PRIMARY state, rotate the master key for the stepped down member:

    1. Restart the stepped-down member, including the --kmipRotateMasterKey option. Include any other options specific to your configuration, such as --bind_ip. If the member already includes the --kmipKeyIdentifier option, either update the --kmipKeyIdentifier option with the new key to use or omit.

      mongod --enableEncryption --kmipRotateMasterKey \
        --kmipServerName <KMIP Server HostName> \
        --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

      If using a configuration file, include the security.kmip.rotateMasterKey.

    2. Upon successful completion of the master key rotation and re-encryption of the database keystore, the mongod will exit.

    3. Restart the stepped-down member without the --kmipRotateMasterKey option. Include any other options specific to your configuration, such as --bind_ip.

      mongod --enableEncryption --kmipServerName <KMIP Server HostName> \
        --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

      If using a configuration file, remove the security.kmip.rotateMasterKey setting.

戻る

構成する

次へ

TLS/SSL