CSFLE - Support native key rotation with Azure Key Vault
Hello MongoDB Product Manager,
We use the CSFLE functionality with Azure Key Vault as a key manager and everything works fine except the management of the master key (CMK) and its rotation.
All because it is not possible to use Azure Key Vault's native key rotation functionality to perform our rotations on a regular basis.
The ability to use this functionality would allow us to automate rotation at the master key level using native Azure Key Vault functionality. The "Rotation policy" feature allows us to automatically manage the rotation process of a key (notification, rotation, deactivation, etc.). Using this feature greatly simplifies the process and allows us to meet our organization's security requirements.
See: https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation
The only thing missing from the MongoDB libraries to handle this properly is to be able to handle the version of the key or allow us to force the full URL including the version of the key and keep that number. version in the encryption keys collection (Keyvault collection).
See attached document for more details.
Can you promote this adjustment in your next service improvement activities.
Thank you for your commitment to your customers.
Geoffrey
shared this idea
-
Geoffrey
commented
Hello MongoDB. It is not too late to commit this feature for availability in the next version of your drivers. We would be very happy to try it soon. :-)