• Security >
• Client-Side Field Level Encryption >
• Master Key and Data Encryption Key Management

Master Key and Data Encryption Key Management

New in version 4.2.

Supported Key Management Services

Client-side field level encryption requires a Key Management Service (KMS) for accessing a Customer Master Key (CMK). MongoDB automatically encrypts data encryption keys using the specified CMK during data encryption key creation.

Deleting the CMK renders all data encryption keys encrypted with that CMK as permanently unreadable, which in turn renders all values encrypted with those data encryption keys as permanently unreadable.

Client-side field level encryption supports the following KMS providers:

• Amazon Web Services KMS
• Locally Managed Keyfile

Amazon Web Services KMS

Important

For AWS KMS support, use the 4.2.2 mongo shell. The 4.2.0 and 4.2.1 mongo shell does not support the AWS KMS service due to an unexpected change in the KMS response object. See SERVER-44721 for more information on the issue.

MongoDB client-side encryption supports using the Amazon Web Services Key Management Service for encrypting and decrypting data encryption keys. Specifically, MongoDB securely transmits the data encryption key to AWS KMS for encrypting or decrypting using the specified Customer Master Key (CMK). The CMK never leaves the AWS KMS.

The mongo shell supports two methods for configuring access to an AWS KMS:

• Use the client-side field level encryption command-line options,

  or

• Use the Mongo() constructor to create a database connection with the required AWS KMS configuration options.

Configuring access to an AWS KMS requires at minimum an AWS access key and its corresponding secret key. The IAM user associated to the access key must have at least one policy with the following actions:

• kms:Decrypt (reference)
• kms:Encrypt (reference)

Implement Seperation of Least Privilege for KMS Access

Consider configuring IAM user roles such that MongoDB has only the access to the actions and resources required to function.

For example, the following policy JSON scopes the required actions to a single CMK:

copy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt"
            ],
            "Resource": "arn:aws:kms:region:account:key/12a345b6-cd7e-8f9g-0h1i-jk23l45mn6o7"
        }
    ]
}

For complete documentation on data encryption key management using AWS KMS, see Manage Data Encryption Keys.

Locally Managed Key

The mongo shell supports specifying a locally managed key as a KMS using the Mongo() constructor. The local key must be a 96-byte long string.

For complete documentation on data encryption key management using a locally managed key, see Manage Data Encryption Keys.

Encryption Key Vault

The key vault is a collection that stores data encryption keys for use with client-side field level encryption. data encryption keys are encrypted using a Customer Master Key (CMK) managed through a supported Key Management System (KMS).

The mongo shell provides helper methods for data encryption key management:

Retrieving data encryption keys	KeyVault.getKey() KeyVault.getKeys() KeyVault.getKeyByAltName()
Creating or Modifying data encryption keys	KeyVault.createKey() KeyVault.addKeyAlternateName() KeyVault.removeKeyAlternateName()
Removing data encryption keys Important Removing a data encryption key renders all fields encrypted using that data encryption key as permanently unreadable.	KeyVault.deleteKey()

Applications with read access to the key vault collection can retrieve data encryption keys by querying the collection. However, only applications with access to the CMK used to encrypt a data encryption key can use that key for encryption or decryption.

By default MongoDB stores the key vault collection on the connected cluster. MongoDB also supports specifying a remote cluster as the key vault. Applications must have access to both the remote key vault cluster and the connection cluster to perform client-side field level encryption operations.

data encryption keys have the following structure:

copy

{
  "_id" : UUID("<string>"),
  "keyMaterial" : BinData(0,"<encrypted binary data string>"),
      "creationDate" : ISODate("2019-08-20T15:45:02.575Z"),
      "updateDate" : ISODate("2019-08-20T15:45:02.575Z"),
      "status" : <int>,
      "version" : NumberLong(0),
      "masterKey" : {
        "provider" : "<string>",
        "key" : "<string>",
        "region" : "<string>",
        "endpoint" : "<string>"
      },
      "keyAltNames" : [
    "<string>"
  ]
}

Client-side field level encryption depends on uniqueness of keyAltNames values. The mongo shell KeyVault.createKey() method creates a unique index on keyAltNames if one does not exist. Applications can use the listIndexes command against the key vault collection to check if the unique index exists. If the unique index does not exist, applications must create it prior to performing data encryption key management.

For complete documentation on data encryption key management, see Manage Data Encryption Keys.

←   Explicit (Manual) Client-Side Field Level Encryption Manage Data Encryption Keys  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.