We have a large replicaset that is currently encrypted with a keyfile. We have introduced a KMIP solution and have successfully encrypted a number of internal replicasets. However, I am unable to push this change through Ops Manager. I receive this error.
[initandlisten] Unable to retrieve key .system, error: KMIP get key ‘local’ failed, code: 1 error: Object with unique identifier ‘local’ not found.
Is it possible to remove the encryptionKeyFile option and add in the KMIP encryption options in one change? Note, I am making MongoDB generate the keys rather that use a key identifier at this point so the 4 new options added are the kmipServerName, kmipPort. kmipServerCAFile, kmipClientCertificateFile.
My assumption here is that ‘local’ in the error log is referring to the original keyfile I had in place.
Maybe it’s a case of having to do this in two steps? 1) Remove the encryptionKeyFile & set enableEncryption to False and allow this to perform an initial sync (PSA) and step 2) Add in kmip encryption as I have done per other replicasets?