Skip to content

How can we improve FLE and Queryable Encryption?

← FLE and Queryable Encryption

CSFLE - Support native key rotation with Azure Key Vault

Hello MongoDB Product Manager,

We use the CSFLE functionality with Azure Key Vault as a key manager and everything works fine except the management of the master key (CMK) and its rotation.

All because it is not possible to use Azure Key Vault's native key rotation functionality to perform our rotations on a regular basis.

The ability to use this functionality would allow us to automate rotation at the master key level using native Azure Key Vault functionality. The "Rotation policy" feature allows us to automatically manage the rotation process of a key (notification, rotation, deactivation, etc.). Using this feature greatly simplifies the process and allows us to meet our organization's security requirements.

See: https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation

The only thing missing from the MongoDB libraries to handle this properly is to be able to handle the version of the key or allow us to force the full URL including the version of the key and keep that number. version in the encryption keys collection (Keyvault collection).

See attached document for more details.

Can you promote this adjustment in your next service improvement activities.

Thank you for your commitment to your customers.

11 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Geoffrey shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • AdminCynthia (Admin, MongoDB) commented  ·   ·  Report

    Hello Geoffrey,

    You should be able to use the native key rotation functionality in Azure if you set the key version when you specify the CMK in your setup. If you specify a versionless key identifier you will encounter problems with key rotation.

    Azure KeyVault doesn't work like AWS KMS or GCP Cloud KMS, where the KMS can identify which version of a key was used for encryption and use the same version for decryption. Instead Azure Key Vault will always use the latest key version for either encryption or decryption if a versionless key identifier is used.

    Please not that if you do want to re-encrypt all of the existing DEKs with the new CMK, you will need to do a key rotation, the procedure is described in our docs here - https://www.mongodb.com/docs/manual/core/queryable-encryption/fundamentals/manage-keys/

    Thank you,

    Cynthia

  • Geoffrey commented  ·   ·  Report

    Hello MongoDB. It is not too late to commit this feature for availability in the next version of your drivers. We would be very happy to try it soon. :-)

FLE and Queryable Encryption

Categories

Feedback and Knowledge Base

(thinking…)