Is there any Keystore which I can use to store MongoDB encryption keys?
Also is there any way to key rotation policy which can support both ActiveMQ and MongoDB?
MongoDB supports KMIP, so any KMIP-compliant key store will do. Vendors such as Townsend Security and SafeNet sell KMIP-compliant key stores.
Here's MongoDB's documentation about how to configure a KMIP-compliant key store: https://docs.mongodb.org/manual/tutorial/configure-encryption/#key-manager
As far as I can tell, ActiveMQ doesn't support KMIP or external key management.
Related
We plan to use client-side field-level encryption for some confidential fields in our product. To generate and manage the Customer Master key, we want to use Hashicorp Vault. KMS providers currently supported are only: Amazon Web Services KMS and Locally Managed Keyfile.
To work with Hashicorp Vault, it seems, we need to choose Locally Managed Keyfile as the KMS provider. This means that the Master key will be fetched from Vault in memory and then used in the code to encrypt/decrypt the DEK (Data Encryption Key). Ideally, the decryption of DEK should happen in the vault itself as a best practice, and master key should not be brought out of Vault.
Is there a way to achieve this? There are numerous articles around encryption at rest and integration with Hashicorp vault, but none of them is for CSFLE. Need help if anyone is using CSFLE.
Thanks
I'm using open ssl to generate an asymmetric key locally in my machine. I want to store this key in AWS KMS. Is there a possibility to achieve that?
From Importing key material in AWS Key Management Service (AWS KMS) - AWS Key Management Service:
Imported key material is supported only for symmetric CMKs in AWS KMS key stores. It is not supported on asymmetric CMKs or CMKs in custom key stores.
So, it seems that you cannot import an asymmetric key into AWS KMS.
Is it possible to use Google KMS with Mongodb server on Ubuntu 18.04 (GCP) to encrypt data at rest? What are the requirements? How is it done? I want to use mongodb encryption feature for additional security.
The documentation mentions KMIP protocol and does Google provide such service?
ps: I have installed Mongodb enterprise edition on my server along with other services such as backend.
From your comment and assuming your questions is on regards of how to use the KMS integration with MongoDB:
For a start, it is possible to use KMS with MongoDB. Google even provides an out-of-the-box solution of MongoDB Atlas to integrate with KMS via Market Place.
However, this integration is not available on Atlas M0, M2 and M5.
You can follow the same link for details on how to use the integration. If you have any specific question on this integration, please edit your question to include it.
Data on GCP is always encrypted at rest. You can optionally use your own KMS keys to encrypt the disks.
gcloud compute disks create encrypted-disk \
--kms-key projects/[KMS_PROJECT_ID]/locations/[REGION]/keyRings/[KEY_RING]/cryptoKeys/[KEY]
I cannot find any information about how the filesystem storage backend encrypts data at rest in the Hashicorp Vault Community Edition. Does anyone know the details of the encryption cipher(s), hashing algorithms, etc.? Is it configurable or is there a way to inspect the ciphers on an existing filesystem vault?
Quoting from the official documentation:
Vault uses a security barrier for all requests made to the backend. The security barrier automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces.
So the cipher used for storing secrets is an AES 256 with GMC. I think that this is an architecturale choise that cannot be changed.
I have configured MongoDB 3.4.16 Enterprise version for native encryption following the Local Key Management method as mentioned in the documentation of MongoDB.
I find that, as mentioned in the tutorial I also get the encryption successful message on the command prompt which comes after the operation was successful:
[initandlisten] Encryption key manager initialized with key file:
My question is, how can I demonstrate the results to other people that with just these configurations the encryption has happened? Like for example, only if I can show the DB data file before and after applying these encryption configurations.
I don't have an answer, rather a comment. Be sure to take note of the notice at the top of the Local Key Management page.
IMPORTANT
Using the keyfile method does not meet most regulatory key
management guidelines and requires users to securely manage their own
keys.
The safe management of the keyfile is critical.
Without a dedicated key manager to store and manage keys, it is like leaving the keys to your house under your welcome mat. Since you are on Enterprise edition, use KMIP and deploy an encryption key manager. More on encryption key management for MongoDB here: https://info.townsendsecurity.com/mongodb-encryption-key-management-definitive-guide