On this page本页内容
Most regulatory requirements mandate that a managed key used to decrypt sensitive data must be rotated out and replaced with a new key once a year.大多数监管要求规定,用于解密敏感数据的托管密钥必须每年轮换一次,并替换为新密钥。
To roll over database keys configured with AES256-GCM cipher afer a filesystem restore, see 要在文件系统恢复后滚动使用AES256-GCM密码配置的数据库密钥,请改为参阅--eseDatabaseKeyRollover instead.--eseDatabaseKeyRollover。
MongoDB provides two options for key rotation. MongoDB提供了两个键旋转选项。You can rotate out the binary with a new instance that uses a new key. 您可以使用使用新密钥的新实例来旋转二进制文件。Or, if you are using a KMIP server for key management, you can rotate the master key.或者,如果使用KMIP服务器进行密钥管理,则可以旋转主密钥。
To prevent changing the write quorum, never rotate more than one replica set member at a time.为防止更改写入仲裁,请勿一次旋转多个副本集成员。
For a replica set, to rotate out a member:对于副本集,要轮换出成员,请执行以下操作:
Start a new 启动一个新的mongod instance, configured to use a new key. mongod实例,配置为使用一个新密钥。Include the 包括带有副本集名称的--replSet option with the name of the replica set as well as any other options specific to your configuration, such as --dbpath and --bind_ip.--replSet选项以及特定于您的配置的任何其他选项,例如--dbpath和--bind_ip。
mongod --replSet myReplSet --enableEncryption \ --kmipServerName <KMIP Server HostName> \ --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem
mongosh to the replica set's primary.mongosh连接到副本集的主副本。Add the instance to the replica set:将实例添加到副本集:
rs.add( { host: <host:port> } )
Before MongoDB 5.0, a newly added secondary still counts as a voting member even though it can neither serve reads nor become primary until its data is consistent. 在MongoDB 5.0之前,新添加的辅助服务器仍然算作投票成员,即使在数据一致之前,它既不能提供读操作,也不能成为主服务器。If you are running a MongoDB version earlier than 5.0 and add a secondary with its 如果您运行的MongoDB版本早于5.0,并且添加了一个votes and priority settings greater than zero, this can lead to a case where a majority of the voting members are online but no primary can be elected. votes和priority设置大于零的二级数据库,则可能会导致大多数投票成员在线,但无法选择一级数据库。To avoid such situations, consider adding the new secondary initially with 为避免出现这种情况,请考虑在开始时添加新的次要级别,priority :0 and votes :0. priority :0,votes :0。Then, run 然后,运行rs.status() to ensure the member has transitioned into SECONDARY state. rs.status()以确保成员已转换为SECONDARY状态。Finally, use 最后,使用rs.reconfig() to update its priority and votes.rs.reconfig()更新其优先级和投票。
During the initial sync process, the re-encryption of the data with an entirely new set of database keys as well as a new system key occurs.在初始同步过程中,会使用一组全新的数据库密钥以及一个新的系统密钥重新加密数据。
If you are using a KMIP server for key management, you can rotate the master key, the only externally managed key. 如果使用KMIP服务器进行密钥管理,则可以旋转主密钥,这是唯一的外部托管密钥。With the new master key, the internal keystore will be re-encrypted but the database keys will be otherwise left unchanged. 使用新的主密钥,内部密钥库将被重新加密,但数据库密钥将保持不变。This obviates the need to re-encrypt the entire data set.这样就无需重新加密整个数据集。
Rotate the master key for the secondary members of the replica set one at a time.一次旋转一个副本集次要成员的主密钥。
Restart the secondary, including the 重新启动辅助服务器,包括--kmipRotateMasterKey option. --kmipRotateMasterKey选项。Include any other options specific to your configuration, such as 包括特定于您的配置的任何其他选项,例如--bind_ip. --bind_ip。If the member already includes the 如果成员已包含--kmipKeyIdentifier option, either update the --kmipKeyIdentifier option with the new key to use or omit to request a new key from the KMIP server:--kmipKeyIdentifier选项,请使用要使用的新密钥更新--kmipKeyIdentifier选项,或者忽略从KMIP服务器请求新密钥:
mongod --enableEncryption --kmipRotateMasterKey \ --kmipServerName <KMIP Server HostName> \ --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem
If using a configuration file, include the 如果使用配置文件,请包括security.kmip.rotateMasterKey.security.kmip.rotateMasterKey。
mongod will exit.mongod将退出。Restart the secondary without the 在不使用--kmipRotateMasterKey parameter. --kmipRotateMasterKey参数的情况下重新启动辅助服务器。Include any other options specific to your configuration, such as 包括特定于您的配置的任何其他选项,例如--bind_ip.--bind_ip。
mongod --enableEncryption --kmipServerName <KMIP Server HostName> \ --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem
If using a configuration file, remove the 如果使用配置文件,请删除security.kmip.rotateMasterKey setting.security.kmip.rotateMasterKey设置。
Step down the replica set primary.逐步减少主副本集。
Connect 将mongosh to the primary and use rs.stepDown() to step down the primary and force an election of a new primary:mongosh连接到主节点,并使用rs.stepDown()逐步关闭主节点并强制选择新的主节点:
rs.stepDown()
When 当rs.status() shows that the primary has stepped down and another member has assumed PRIMARY state, rotate the master key for the stepped down member:rs.status()显示主成员已降级,而另一个成员已进入primary状态时,请旋转降级成员的主密钥:
Restart the stepped-down member, including the 重新启动逐步减少的成员,包括--kmipRotateMasterKey option. --kmipRotateMasterKey选项。Include any other options specific to your configuration, such as 包括特定于您的配置的任何其他选项,例如--bind_ip. --bind_ip。If the member already includes the 如果成员已包含--kmipKeyIdentifier option, either update the --kmipKeyIdentifier option with the new key to use or omit.--kmipKeyIdentifier选项,请使用要使用的新密钥更新--kmipKeyIdentifier选项,或者忽略该选项。
mongod --enableEncryption --kmipRotateMasterKey \ --kmipServerName <KMIP Server HostName> \ --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem
If using a configuration file, include the 如果使用配置文件,请包括security.kmip.rotateMasterKey.security.kmip.rotateMasterKey。
mongod will exit.mongod将退出。Restart the stepped-down member without the 在不使用--kmipRotateMasterKey option. --kmipRotateMasterKey选项的情况下重新启动逐步减少的成员。Include any other options specific to your configuration, such as 包括特定于您的配置的任何其他选项,例如--bind_ip.--bind_ip。
mongod --enableEncryption --kmipServerName <KMIP Server HostName> \ --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem
If using a configuration file, remove the 如果使用配置文件,请删除security.kmip.rotateMasterKey setting.security.kmip.rotateMasterKey设置。