.. _kmip: Using the Key Management Interoperability Protocol (KMIP) ============================================================ This feature is **technical preview** quality. |PSMDB| adds support for the secure transfer of keys using the `OASIS Key Management Interoperability Protocol (KMIP) `__. The KMIP implementation was tested with the `PyKMIP server `__ and the `HashiCorp Vault Enterprise KMIP Secrets Engine `__. KMIP enables the communication between a key management system and the database server. KMIP provides the following benefits: * Streamlines encryption key management * Eliminates redundant key management processes Starting with version 5.0.9-8, you can specify multiple KMIP servers for failover. On startup, |PSMDB| connects to the servers in the order listed and selects the one with which the connection is successful. .. admonition:: KMIP parameters .. list-table:: :widths: auto :header-rows: 1 * - Option - Type - Description * - --kmipServerName - string - The hostname or IP address of the KMIP server. As of version 5.0.9-8, multiple KMIP servers are supported as the comma-separated list, e.g. ``kmip1.@example.com,kmip2.example.com`` * - --kmipPort - number - The port used to communicate with the KMIP server. When undefined, the default port ``5696`` will be used. * - --kmipServerCAFile - string - The path to the TLS certificate file. CA file is used to validate secure client connection to the KMIP server. * - --kmipClientCertificateFile - string - The path to the PEM file with the KMIP client private key and the certificate chain. The database server uses this PEM file to authenticate the KMIP server. * - --kmipKeyIdentifier - string - Mandatory. The name of the KMIP key. If the key does not exist, the database server creates a key on the KMIP server with the specified identifier. * - --kmipRotateMasterKey - boolean - Controls master keys rotation. When enabled, generates the new master key version and re-encrypts the keystore. Available as of version 5.0.8-7. Requires the unique ``--kmipKeyIdentifier`` for every ``mongod`` node. * - --kmipClientCertificatePassword - string - The password for the KMIP client private key or certificate. Use this parameter only if the KMIP client private key or certificate is encrypted. Available starting with version 5.0.9-8. Key rotation ================ Starting with release 5.0.8-7, the support for `master key rotation `_ is added. This enables users to comply with data security regulations when using KMIP. .. note:: To make KMIP master key rotation, make sure that every ``mongod`` has a unique ``--kmipKeyIdentifier`` value. Configuration ============= .. rubric:: Considerations Make sure you have obtained the root certificate, and the keypair for the KMIP server and the ``mongod`` client. For testing purposes you can use the `OpenSSL `_ to issue self-signed certificates. For production use we recommend you use the valid certificates issued by the key management appliance. To enable data-at-rest encryption in |PSMDB| using KMIP, edit the ``/etc/mongod.conf`` configuration file as follows: .. code-block:: yaml security: enableEncryption: true kmip: serverName: port: clientCertificateFile: clientKeyFile: serverCAFile: keyIdentifier: Alternatively, you can start |PSMDB| using the command line as follows: .. code-block:: bash $ mongod --enableEncryption \ --kmipServerName \ --kmipPort \ --kmipServerCAFile \ --kmipClientCertificateFile \ --kmipClientKeyFile \ --kmipKeyIdentifier