Docs 菜单
Docs 主页
/
MongoDB Manual
/
安全性
/
加密
/
静态加密

Rotate Encryption Keys

在此页面上

Most regulatory requirements mandate that a managed key used to decrypt sensitive data must be rotated out and replaced with a new key once a year.

注意

消歧

To roll over database keys configured with AES256-GCM cipher after a filesystem restore, see --eseDatabaseKeyRollover instead.

MongoDB provides two options for key rotation. You can rotate out the binary with a new instance that uses a new key. Or, if you are using a KMIP server for key management, you can rotate the 客户主密钥.

Rotate a Replica Set Member

注意

To prevent changing the write quorum, never rotate more than one replica set member at a time.

For a replica set, to rotate out a member:

  1. Start a new mongod instance, configured to use a new key. Include the --replSet option with the name of the replica set as well as any other options specific to your configuration, such as --dbpath and --bind_ip.

    mongod --replSet myReplSet --enableEncryption \
    --kmipServerName <KMIP Server HostName> \
    --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

  2. 连接 mongosh to the replica set's primary.

  3. Add the instance to the replica set:

    rs.add( { host: <host:port> } )

    警告

    在 MongoDB 5.0 之前,新增的节点仍然算作投票成员,尽管在数据保持一致之前,它们既不能服务于读取,也不能成为主节点。如果您运行的是 5.0 之前的 MongoDB 版本,并添加了 votespriority 设置大于零的从节点,则可能会导致有大多数投票成员在线却无法选举主节点的情况。为避免出现这种情况,可考虑先添加 priority :0votes :0 的新从节点。然后运行 rs.status(),确保成员已过渡到 SECONDARY 状态。最后,使用 rs.reconfig() 更新其优先级和投票。

    During the initial sync process, the re-encryption of the data with an entirely new set of database keys as well as a new system key occurs.

  4. Remove the old node from the replica set and delete all its data. For instructions, see 从自管理副本集中删除成员

KMIP 主密钥轮换

If you are using a KMIP server for key management, you can rotate the 客户主密钥, the only externally managed key. With the new master key, the internal keystore will be re-encrypted but the database keys will be otherwise left unchanged. This obviates the need to re-encrypt the entire data set.

  1. Rotate the master key for the 从节点 members of the replica set one at a time.

    1. Restart the secondary, including the --kmipRotateMasterKey option. Include any other options specific to your configuration, such as --bind_ip. If the member already includes the --kmipKeyIdentifier option, either update the --kmipKeyIdentifier option with the new key to use or omit to request a new key from the KMIP server:

      mongod --enableEncryption --kmipRotateMasterKey \
        --kmipServerName <KMIP Server HostName> \
        --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

      If using a configuration file, include the security.kmip.rotateMasterKey.

    2. Upon successful completion of the master key rotation and re-encryption of the database keystore, the mongod will exit.

    3. Restart the secondary without the --kmipRotateMasterKey parameter. Include any other options specific to your configuration, such as --bind_ip.

      mongod --enableEncryption --kmipServerName <KMIP Server HostName> \
        --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

      If using a configuration file, remove the security.kmip.rotateMasterKey setting.

  2. 降级副本集主节点。

    mongosh 连接到主节点,并使用 rs.stepDown() 降级主节点,强制选举新的主节点:

    rs.stepDown()

  3. When rs.status() shows that the primary has stepped down and another member has assumed PRIMARY state, rotate the master key for the stepped down member:

    1. Restart the stepped-down member, including the --kmipRotateMasterKey option. Include any other options specific to your configuration, such as --bind_ip. If the member already includes the --kmipKeyIdentifier option, either update the --kmipKeyIdentifier option with the new key to use or omit.

      mongod --enableEncryption --kmipRotateMasterKey \
        --kmipServerName <KMIP Server HostName> \
        --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

      If using a configuration file, include the security.kmip.rotateMasterKey.

    2. Upon successful completion of the master key rotation and re-encryption of the database keystore, the mongod will exit.

    3. Restart the stepped-down member without the --kmipRotateMasterKey option. Include any other options specific to your configuration, such as --bind_ip.

      mongod --enableEncryption --kmipServerName <KMIP Server HostName> \
        --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

      If using a configuration file, remove the security.kmip.rotateMasterKey setting.

后退

配置

来年

TLS/SSL