Skip to content
This documentation is for the end of life version of Percona Server for MongoDB 4.2 which is no longer supported.
Learn more about MongoDB 4.2 end of life implications. See the current documentation.
logo
Percona Server for MongoDB 4.2
Using the Key Management Interoperability Protocol (KMIP)
Initializing search
    percona/psmdb-docs
    percona/psmdb-docs
    • Home
    • Percona Server for MongoDB feature comparison
      • Overview
      • Install Percona Server for MongoDB on Debian and Ubuntu
      • Install Percona Server for MongoDB on Red Hat Enterprise Linux and derivatives
      • Install Percona Server for MongoDB from binary tarball
      • Run Percona Server for MongoDB in a Docker container
        • Percona Memory Engine
        • Hot Backup
        • $backupCursor and $backupCursorExtend aggregation stages
        • Authentication
        • Enable authentication
        • Set up LDAP authentication with SASL
        • Set up x.509 authentication and LDAP authorization
        • Setting up Kerberos authentication
        • LDAP authorization
        • Set up LDAP authentication and authorization using NativeLDAP
        • Data at rest encryption
        • HashiCorp Vault integration
        • Using the Key Management Interoperability Protocol (KMIP)
          • KMIP parameters
          • Key rotation
        • Local key management using a keyfile
        • Migrate from key file encryption to HashiCorp Vault encryption
      • Auditing
      • Profiling rate limit
      • Log redaction
      • Additional text search algorithm - ngram
      • Tune parameters
        • Upgrade from 4.0 to 4.2
        • Upgrade Percona Server for MongoDB
      • Uninstall Percona Server for MongoDB
      • Release notes index
      • Percona Server for MongoDB 4.2.24-24 (2023-03-09)
      • Percona Server for MongoDB 4.2.23-23 (2022-11-08)
      • Percona Server for MongoDB 4.2.22-22 (2022-09-06)
      • Percona Server for MongoDB 4.2.21-21 (2022-06-29)
      • Percona Server for MongoDB 4.2.20-20 (2022-05-23)
      • Percona Server for MongoDB 4.2.19-19 (2022-03-29)
      • Percona Server for MongoDB 4.2.18-18 (2022-01-19)
      • Percona Server for MongoDB 4.2.17-17 (2021-10-11)
      • Percona Server for MongoDB 4.2.15-16 (2021-07-26)
      • Percona Server for MongoDB 4.2.14-15 (2021-05-13)
      • Percona Server for MongoDB 4.2.13-14 (2021-04-01)
      • Percona Server for MongoDB 4.2.12-13 (2021-02-03)
      • Percona Server for MongoDB 4.2.11-12 (2020-12-07)
      • Percona Server for MongoDB 4.2.10-11 (2020-11-02)
      • Percona Server for MongoDB 4.2.9-10 (2020-10-09)
      • Percona Server for MongoDB 4.2.9-9 (2020-09-03)
      • Percona Server for MongoDB 4.2.8-8 (2020-07-07)
      • Percona Server for MongoDB 4.2.7-7 (2020-06-04)
      • Percona Server for MongoDB 4.2.6-6 (2020-05-07)
      • Percona Server for MongoDB 4.2.5-5 (2020-04-02)
      • Percona Server for MongoDB 4.2.3-4 (2020-02-20)
      • Percona Server for MongoDB 4.2.2-3 (2019-12-24)
      • Percona Server for MongoDB 4.2.1-1 (2019-11-13)
      • Percona Server for MongoDB 4.2.0-1 (2019-09-09)
    • Glossary
      • Copyright and Licensing Information
      • Trademark Policy

    • KMIP parameters
    • Key rotation

    Using the Key Management Interoperability Protocol (KMIP)¶

    Percona Server for MongoDB adds support for secure transfer of keys using the OASIS Key Management Interoperability Protocol (KMIP). The KMIP implementation was tested with the PyKMIP server and the HashiCorp Vault Enterprise KMIP Secrets Engine.

    KMIP enables the communication between key management systems and the database server. KMIP provides the following benefits:

    • Streamlines encryption key management
    • Eliminates redundant key management processes

    Starting with version 4.2.21-21, you can specify multiple KMIP servers for failover. On startup, Percona Server for MongoDB connects to the servers in the order listed and selects the one with which the connection is successful.

    Starting with version 4.2.22-22, the kmipKeyIdentifier option is no longer mandatory. When left blank, the database server creates a key on the KMIP server and uses that for encryption. When you specify the identifier, the key with such an ID must exist on the key storage.

    KMIP parameters¶

    Command line Configuration file Type Description
    kmipServerName security.kmip.
    serverName    		 string The hostname or IP address of the KMIP server. As of version 4.2.21-21, multiple KMIP servers are supported as the comma-separated list, e.g. kmip1.example.com,kmip2.example.com
    kmipPort security.kmip.port number The port used to communicate with the KMIP server. When undefined, the default port 5696 will be used
    kmipServerCAFile security.kmip.
    serverCAFile    		 string The path to the certificate of the root authority that issued the certificate for the KMIP server. Required only if the root certificate is not trusted by default on the machine the database server works on.
    kmipClientCertificateFile security.kmip.
    clientCertificateFile    		 string The path to the PEM file with the KMIP client private key and the certificate chain. The database server uses this PEM file to authenticate the KMIP server
    kmipKeyIdentifier security.kmip.
    keyIdentifier    		 string Optional starting with version 4.2.22-22. The identifier of the KMIP key. If not specified, the database server creates a key on the KMIP server and saves its identifier internally for future use. When you specify the identifier, the key with such an ID must exist on the key storage. You can only use this setting for the first time you enable encryption
    kmipRotateMasterKey security.kmip.
    rotateMasterKey    		 boolean Controls master keys rotation. When enabled, generates the new master key version and re-encrypts the keystore. Available as of version 4.2.20-20. Requires the unique --kmipKeyIdentifier for every mongod node
    kmipClientCertificatePassword security.kmip.
    clientCertificatePassword    		 string The password for the KMIP client private key or certificate. Use this parameter only if the KMIP client private key or certificate is encrypted. Available starting with version 4.2.21-21.

    Key rotation¶

    Starting with version 4.2.20-20, the support for master key rotation is added. This enables users to comply with data security regulations when using KMIP.

    Configuration¶

    Considerations¶

    Make sure you have obtained the root certificate, and the keypair for the KMIP server and the mongod client. For testing purposes you can use the OpenSSL to issue self-signed certificates. For production use we recommend you use the valid certificates issued by the key management appliance.

    To enable data-at-rest encryption in Percona Server for MongoDB using KMIP, edit the /etc/mongod.conf configuration file as follows:

    security:
  enableEncryption: true
  kmip:
    serverName: <kmip_server_name>
    port: <kmip_port>
    clientCertificateFile: </path/client_certificate.pem>
    serverCAFile: </path/ca.pem>
    keyIdentifier: <key_name>

    Alternatively, you can start Percona Server for MongoDB using the command line as follows:

    $ mongod --enableEncryption \
  --kmipServerName <kmip_servername> \
  --kmipPort <kmip_port> \
  --kmipServerCAFile <path_to_ca_file> \
  --kmipClientCertificateFile <path_to_client_certificate> \
  --kmipKeyIdentifier <kmip_identifier>

    Minor upgrade of Percona Server for MongoDB from 4.2.21-21 and earlier to version 4.2.22-22 and higher¶

    With the kmipKeyIdentifier option becoming optional in version 4.2.22-22, the standard upgrade procedure doesn’t work if you are upgrading from version 4.2.21-21 and earlier.

    For Percona Server for MongoDB 4.2.23 and higher, follow the standard upgrade procedure.

    This section provides upgrade instructions from Percona Server for MongoDB 4.2.21-21 or lower to Percona Server for MongoDB to version 4.2.22-22 and higher.

    For a single-node deployment, use the mongodump / mongorestore tools to make a backup before the update and to restore from it after binaries are updated.

    For replica sets, data must be re-encrypted with the new key during the upgrade. Go through the encrypting existing data steps but perform the minor upgrade between steps 1 and 2 to replace the mongod binary.

    Contact Us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.

    Last update: May 24, 2023
    Created: December 8, 2022
    Back to top
    Previous HashiCorp Vault integration
    Next Local key management using a keyfile
    Percona LLC and/or its affiliates, © 2023
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better. Read more about Percona Cookie Policy.