Skip to content

Using the Key Management Interoperability Protocol (KMIP)

This feature is technical preview quality.

Percona Server for MongoDB adds support for the secure transfer of keys using the OASIS Key Management Interoperability Protocol (KMIP). The KMIP implementation was tested with the PyKMIP server and the HashiCorp Vault Enterprise KMIP Secrets Engine.

KMIP enables the communication between a key management system and the database server. KMIP provides the following benefits:

  • Streamlines encryption key management

  • Eliminates redundant key management processes

KMIP parameters

Option

Type

Description

–kmipServerName

string

The hostname or IP address of the KMIP server.

–kmipPort

number

The port used to communicate with the KMIP server.

–kmipServerCAFile

string

The path to the TLS certificate file. CA file is used to validate secure client connection to the KMIP server.

–kmipClientCertificateFile

string

The path to the client certificate file. The database server uses the client certificate file to authenticate the KMIP server.

–kmipClientKeyFile

string

The path to the KMIP client private key.

–kmipKeyIdentifier

string

Mandatory. The name of the KMIP key. If the key does not exist, the database server creates a key on the KMIP server with the specified identifier.

–kmipRotateMasterKey

boolean

Controls master keys rotation. When enabled, generates the new master key version and re-encrypts the keystore. Available as of version 5.0.8-7. Requires the unique --kmipKeyIdentifier for every mongod node.

Key rotation

Starting with release 5.0.8-7, the support for master key rotation is added. This enables users to comply with data security regulations when using KMIP.

Note

To make KMIP master key rotation, make sure that every mongod has a unique --kmipKeyIdentifier value.

Configuration

Considerations

Make sure you have obtained the root certificate, and the keypair for the KMIP server and the mongod client. For testing purposes you can use the OpenSSL to issue self-signed certificates. For production use we recommend you use the valid certificates issued by the key management appliance.

To enable data-at-rest encryption in Percona Server for MongoDB using KMIP, edit the /etc/mongod.conf configuration file as follows:

security:
  enableEncryption: true
  kmip:
    serverName: <kmip_server_name>
    port: <kmip_port>
    clientCertificateFile: </path/client_certificate.pem>
    clientKeyFile: </path/client_key.pem>
    serverCAFile: </path/ca.pem>
    keyIdentifier: <key_name>

Alternatively, you can start Percona Server for MongoDB using the command line as follows:

$ mongod --enableEncryption \
  --kmipServerName <kmip_servername> \
  --kmipPort <kmip_port> \
  --kmipServerCAFile <path_to_ca_file> \
  --kmipClientCertificateFile <path_to_client_certificate> \
  --kmipClientKeyFile <path_to_client_private_key> \
  --kmipKeyIdentifier <kmip_identifier>