MongoByte MongoDB Logo

Welcome to the new MongoDB Feedback Portal!

{Improvement: "Your idea"}
We’ve upgraded our system to better capture and act on your feedback.
Your feedback is meaningful and helps us build better products.

Add new feedback Subscribe
Status Completed
Categories Drivers (ie: Node.js, Java, .NET)
Created by Guest
Created on Aug 20, 2020

RELATED FEEDBACK

CSFLE - Integration with more KMS providers like Hashicorp Vault

Automatic CSFLE - To generate and manage the Customer Master key, can we add more KMS providers like Hashicorp Vault. KMS providers currently supported are only: Amazon Web Services KMS and Locally Managed Keyfile. To work with Hashicorp Vault, it seems, we need to choose Locally Managed Keyfile as the KMS provider. This means that the Master key will be fetched from Vault in memory and then used in the code to encrypt/decrypt the DEK (Data Encryption Key). Ideally, the decryption of DEK should happen in the vault itself as a best practice, and master key should not be brought out of Vault. Using only AWS KMS is a limitation. Using Locally Managed Keyfile to read key from another KMS and then use in application is not secure. Can more KMS providers be supported in a more secure way? Thanks
  • ADMIN RESPONSE
    Oct 18, 2025
    Hello all! Thank you for this feature request. MongoDB now supports Hashicorp Vault as a key management service via their KMIP secrets engine. This work was completed as part of https://jira.mongodb.org/browse/DRIVERS-1353 ( https://jira.mongodb.org/browse/DRIVERS-1353 ) and is documented here ( https://www.mongodb.com/docs/manual/core/csfle/tutorials/kmip/kmip-automatic/#std-label-csfle-tutorial-automatic-kmip ).
  • Guest
    Aug 7, 2023
    As per the documentation, this still fetches the CMK from vault. Hence, the security risk still exists. Could you please add support for HashiCorp vault so that the DEK encryption/decryption happens inside the vault? Thanks
    Reply