If Client-Side Field Level Encryption (CSFLE) supports working with multiple AWS KMS where customer manages keys in its AWS KMS and same MongoDB database uses different AWS KMS accounts keys for field level encryption.
Hi David and welcome to the Community! With CSFLE, only the top level key lives in the AWS KMS, not the Data Encryption Keys so there isn’t a need for multiple KMS accounts. The top level keys is used as a Key Encryption Key and protects the Data Encryption Keys so they are never stored in an unencrypted state. The Keys and Key Vaults page in MongoDB CSFLE docs goes into detail about the different levels of keys, their purpose and how they are used. I hope that helps!
Thank you for your reply. The point is actually related to Bring Your Own Key (BYOK) for encryption at rest where customer (3rdParty) needs to manage master key for encryption. I understand that master key is used for encryption of other keys however in certain cases there is a requirement that these master keys will be managed by customer whereas database itself belongs to the service provider. So the question is if there is a way to define AWS KMS provider per document?
In Atlas BYOK there is a single customer managed key supported per project/cluster. It does not support customer management of keys at lower levels (database, document etc). If a customer needs to be able to control the key used for BYOK they should have their own cluster/project which would then give them their own key.
Thanks for reply, generally my question converges to the following:
In non-Atlas MongoDB there is a way to define different keyids for encryption different documents for the same collection.
Now question: Can these different keys be encrypted with different master keys from different AWS KMS or the only one KMS master key can be utilized for protection.
For at-rest encryption, even in Enterprise Advanced, the customer managed key is not definable at the document level. This page in our docs explains how encryption at-rest works for Enterprise Advanced.
The only solution for encrypting data with a different key at the document level is CSFLE but even with CSFLE there is only one AWS KMS key that can be used for it. It will not support something like an AWS KMS key per tenant where you have multiple tenants’ data in the same database, which is the use case I believe you are trying to solve for.
Another related questions:
1.) If it possible to work with multiple key vaults for DEKs collection for the same database? If so can you provide a sample how to do it.
2.) In documentation is written that KMS is communicated each time DEK should be decrypted, however I believe that it is cached and it is not required to communicate KMS for every database read/write operation (because of performance and cost reason). Please confirm.
My answers here are for CSFLE.
For question 1: the KeyVault is specified when configuring the MongoClient and only one KeyVault is allowed.
For question 2: you are correct that the DEK is cached at the driver side for 1 minute so whether or not you get a cache hit on it depends on how recently that DEK was requested from the KMS.
Thanks for response.
Few more questions:
1.) So following your response (tell me if I’m wrong) I can create 2 MongoDB clients that are working with the same database and 2 different key vaults that are protected by 2 different KMS and each client works with different documents, right?
2.) Another question: when DEK key is created with option that allows to provide key material, is there a way to provide encrypted key material (if so with what key it can be protected, probably by KMS) or it must be plaintext.
3.) Can we choose different KIDs from the same KMS that can protect different DEKs?
Hi David - From your questions it seems like you are trying to build a systems that allows you to use multiple KMS keys, where those key are managed by external customers and CSFLE was not designed to support this use case. If that is the case, and for something as important as security and encryption, I would advise against trying to make the solution work in a way it has not been designed or tested for.
@Cynthia_Braund could you tell me if there is a way to pass AWS KMS key id to API request when creating project/cluster to ensure that encryption at rest is enabled?