We plan to use client-side field-level encryption for some confidential fields in our product. To generate and manage the Customer Master key, we want to use Hashicorp Vault. KMS providers currently supported are only: Amazon Web Services KMS and Locally Managed Keyfile.
To work with Hashicorp Vault, it seems, we need to choose Locally Managed Keyfile as the KMS provider. This means that the Master key will be fetched from Vault in memory and then used in the code to encrypt/decrypt the DEK (Data Encryption Key). Ideally, the decryption of DEK should happen in the vault itself as a best practice, and master key should not be brought out of Vault.
Is there a way to achieve this? There are numerous articles around encryption at rest and integration with Hashicorp vault, but none of them is for CSFLE. Need help if anyone is using CSFLE.
We do have support for using a KMIP key provider, which can be used with HashiCorp Vault enterprise. We have a tutorial on how to set it up in our docs and this blog post covers Vault Enterprise specifically. I hope that helps.
Thanks for the links , I have already referred the TUTORAIL link and trying to implement with the help of that page only.
But , Looks like this feature works only with Hashicorp enterprise edition. As mentioned in the blog link . We have requested for vault license and vault setup .
Few more queries around this topic :
Am not going with Automatic encryption (AES) - Do i still need to provide the below parameter ?
Map<String, Object> extraOptions = new HashMap<String, Object>();
extraOptions.put("cryptSharedLibPath", "<Full path to your Automatic Encryption Shared Library>"));
That is correct about Vault, only their enterprise edition is KMIP enabled. If you aren’t using Automatic Encryption you don’t need to have the Shared Library or include the path to it. Just a quick note about terminology, AES is the encryption algorithm that is used by CSFLE and it is used regardless of Automatic or Explicit encryption.