Implement the `activateKeys` and `keyStatePollingSeconds` options in the `security.kmip` config section
Description
Environment
Smart Checklist
hideActivity

Konstantin Trushin April 22, 2024 at 8:00 PMEdited
The table below summaries how the feature is going to behave. The first tree columns list the version of Percona Server for MongoDB and the config parameters. The further columns list three situations in which the behavior depends on the version and config parameters.
Explicitly setting the activateKeys
parameters to false
completely disables the feature (line 1). When the feature is explicitly enabled (lines 2 and 3), Percona Server activates all new keys. On startup with an already encrypted data directory, it refuses to work with a non-active key. After any startup, a positive value of keyStatePollingSeconds
makes Percona Server for MongoDB to periodically (period equals to the value of keyStatePollingSeconds
) check the state of the key and shut down if the key goes to the non-active state. The polling can be disabled separately while preserving key activation and state check at startup by a negative value of keyStatePollingSeconds
(line 3).
The default values for activateKeys
and keyStatePollingSeconds
are true
and 900
respectively (lines 4 and 5).
At present, before the feature has been introduced, all the keys are in Pre-Active
state. So in order to avoid shutting down on startup after an minor version upgrade, already released major versions of Percona Server for MongoDB treat the Pre-Active
state tolerably (lines 6 and 7), when configured by default. They log a warning and continue the starting up. As a result, an operation team is made aware of the necessity to active keys and given time to activate the existing keys or rotate to the new (activated) ones. It is only since upgrade to 8.0 when the stricter behavior on a non-active key is enforced.
Table 1. What Percona Server for MongoDB does when…
version | activeKeys | keyStatePollingSeconds | it registers a new master encryption key on a KMIP server during the first server start or master key rotation | it reads exiting key at subsequent restart and that key is not active | key transitions from active to a non-active state at some time point after server start, no matter be it the first or subsequent start | |
---|---|---|---|---|---|---|
1 | any | false | any | doesn’t active the key | continues working as usual | continues working as usual |
2 | any | true | > 0 | activates the key | logs the error and shuts down | logs the error and shuts sown |
3 | any | true | <=0 | activates the key | logs the error and shuts down | continues working as usual |
4 | >= 8.0 | not specified | not specified or > 0 | activates the key | logs the error and shuts down | logs the error and shuts sown |
5 | >= 8.0 | not specified | <= 0 | activates the key | logs the error and shuts down | continues working as usual |
6 | < 8.0 | not specified | not specified or > 0 | activates the key | If the state is | logs the error and shuts down |
7 | < 8.0 | not specified | <= 0 | activates the key | If the state is | continues working as usual |

Konstantin Trushin April 18, 2024 at 5:25 PMEdited
Let me add more context.
This couple of options implements key activation and state polling, meaning that each new key created on a KMIP server is transitioned to the Active state. Then, its state is periodically polled to check whether the key is still active. If this not the case, the mongod
terminates itself with an error in log.
Key activation and state polling make recovery from a compromised master encryption key easier and quicker. Consider a database cluster with several hundred nodes. Each node has its own master encryption key. If one of them gets compromised, we must rotate it as soon as possible, but how do we discover which node it belong to? Without key state polling we will need to rotate master encryption keys on the whole cluster, which is tedious and time consuming task. On the contrary, if key state polling enabled, a security engineer just need to put the compromised key in any state other than Active on a KMIP server, and the affected mongod
instance will detect that no later than in a configurable polling interval and stop the process. One only needs to rotate the master encryption key on that particular node.
In version 8.0, the feature is going to be enabled by default (as it is done in the upstream), but earlier created master encryption keys are in Per-Active state on the KMIP server. That means that one needs to manually transition all the master encryption keys to the Active state before upgrading to version 8.0. Alternatively, they can do master key rotation on each node just after installing version 8.0, but before running it. Rotation will create and activate new master encryption key.
Details
Details
Assignee

Reporter

Needs QA
Needs Doc
Smart Checklist Progress
Sprint
Priority
Smart Checklist
Open Smart Checklist
Smart Checklist

The value of this is to achieve a faster recovery from a compromised key. As it would be required to identify the key on a particular node to do so. Without such knowledge all keys would need to be rotated impacting recovery from compromised key a lot.