Provide a way to rotate encryption keys

General

Escalation

General

Escalation

Description

When TDE is used, periodic rotation of encryption keys is an important feature. Key rotation can be a regulatory requirement whenever encryption is used. For example, MongoDB docs read:

Most regulatory requirements mandate that a managed key used to decrypt sensitive data must be rotated out and replaced with a new key once a year.

Since the operator provides TDE, it should also provide a way to rotate the encryption keys.

Environment

None

AFFECTED CS IDs

https://percona.service-now.com/sn_customerservice_case.do?sysparm_query=number=CS0022114

Linked work items

relates to

K8SPSMDB-587

Provide ability to use Vault for TDE

K8SPSMDB-287

Support hashicorp vault for PSMDB Operator

Smart Checklist

Activity

Show:

Sergey Kuzmichev November 4, 2021 at 8:03 AM

Since key file is currently used by the operator, the only way to rotate the key is to remove a node from the replica set, destroy the data directory, change the key, then add the node to the replica set. That clones all the existing data and will encrypt it with the new key. I have found no way to do that in the current operator implementation, save maybe for using the DR capabilities.

When Vault is used to store the master key for TDE, there's a simpler key rotation operation: https://docs.percona.com/percona-server-for-mongodb/4.4/vault.html#key-rotation

Resize issue view side panel

Details

Assignee

Unassigned

Reporter

Sergey Kuzmichev(Deactivated)

Affects versions

1.10.0

Priority

Medium

Smart Checklist

Created November 4, 2021 at 7:55 AM

Updated March 5, 2024 at 4:46 PM