Encryption Key Management
On this page
In this guide, you can learn how to manage your encryption keys with a Key Management System (KMS) in your Queryable Encryption enabled application.
Encryption Components
MongoDB uses the following components to perform Queryable Encryption:
Data Encryption Keys (DEKs)
Key Vault collections
Customer Master Keys (CMKs)
Key Management System (KMS)
Your Data Encryption Key is the key you use to encrypt the fields in your MongoDB documents. Your DEK is stored in a document in a MongoDB collection called the Key Vault collection.
Your Customer Master Key is the key you use to encrypt your Data Encryption Keys. MongoDB automatically encrypts Data Encryption Keys using the specified CMK during Data Encryption Key creation.
The CMK is the most sensitive key in Queryable Encryption. If your CMK is compromised, all of your encrypted data can be decrypted.
Use a Key Management System to store your Customer Master Key.
To learn more about the relationship between keys, see Keys and Key Vaults.
Important
Use a Remote Key Management Service Provider
Ensure you store your Customer Master Key (CMK) on a remote KMS.
To learn more about why you should use a remote KMS, see Reasons to Use a Remote KMS.
To view a list of all supported KMS providers, see the KMS Providers page.
Rotate Encryption Keys Using mongosh
You can rotate encryption keys using the
KeyVault.rewrapManyDataKey() method. The rewrapManyDataKey
method automatically decrypts multiple data keys and re-encrypts them
using a specified Customer Master Key (CMK). It then updates the rotated keys
in the key vault collection. This method allows you to rotate encryption
keys based on two optional arguments:
A query filter document used to specify which keys to rotate. If no data key matches the given filter, no keys will be rotated. Omit the filter to rotate all keys in your key vault collection.
An object that represents a new CMK. Omit this object to rotate the data keys using their current CMKs.
The rewrapManyDataKey method has the following syntax:
let keyVault = db.getMongo().getKeyVault() keyVault.rewrapManyDataKey( { "<Your custom filter>" }, { provider: "<KMS provider>", masterKey: { "<dataKeyOpts Key>" : "<dataKeyOpts Value>" } } )
Supported Key Management Services
Queryable Encryption supports the following Key Management System (KMS) providers:
Amazon Web Services KMS
Azure Key Vault
Google Cloud Platform KMS
Any KMIP Compliant Key Management System
Local Key Provider
To learn more about these providers, including diagrams that show how your application uses them to perform Queryable Encryption, see KMS Providers.
Reasons to Use a Remote KMS
Using a remote KMS to manage your Customer Master Key (CMK) has the following advantages over using your local filesystem to host the CMK:
Secure storage of the key with access auditing
Reduced risk of access permission issues
Availability and distribution of the key to remote clients
Automated key backup and recovery
Centralized encryption key lifecycle management
Additionally, for the following KMS providers, your KMS remotely encrypts and decrypts your Data Encryption Key, ensuring your Customer Master Key is never exposed to your Queryable Encryption enabled application:
Amazon Web Services KMS
Azure Key Vault
Google Cloud Platform KMS
Learn More
For tutorials detailing how to set up a Queryable Encryption enabled application with each of the supported KMS providers, see the following pages: