Changing the encryption method of a replica set

Hi,

We have a large replicaset that is currently encrypted with a keyfile. We have introduced a KMIP solution and have successfully encrypted a number of internal replicasets. However, I am unable to push this change through Ops Manager. I receive this error.

[initandlisten] Unable to retrieve key .system, error: KMIP get key ‘local’ failed, code: 1 error: Object with unique identifier ‘local’ not found.

Is it possible to remove the encryptionKeyFile option and add in the KMIP encryption options in one change? Note, I am making MongoDB generate the keys rather that use a key identifier at this point so the 4 new options added are the kmipServerName, kmipPort. kmipServerCAFile, kmipClientCertificateFile.

My assumption here is that ‘local’ in the error log is referring to the original keyfile I had in place.

Maybe it’s a case of having to do this in two steps? 1) Remove the encryptionKeyFile & set enableEncryption to False and allow this to perform an initial sync (PSA) and step 2) Add in kmip encryption as I have done per other replicasets?

Thoughts,
Clive

As an Ops Manager customer this definitely something our dedicated support team can help you with. I would raise a ticket with them directly.

Hi Joe,

I have a ticket open with Support. Brian has been assisting me with this. As this happened on Saturday, I updated the ticket and thought I’d drop a question in here in case I could get this moving during the weekend!

Regards,
Clive

1 Like

An update on this issue should anyone else have problems. The issue seems to be related to the fact that Ops Manager cannot effectively clear down the dbpath and get’s somewhat confused by the keyfile encryption that is in place.

Initially, the MongoDB support team suggested that once I updated the replicaset to add in the kmip server, I would have to suspend the arbiter and clear down the dbpath manually, but the data nodes should be fine. This was not the case. To encrypt the data, I had to perform the stop, cleardown, start on all 3 members.

Hope that helps!
Clive

1 Like