Docs HomeMongoDB Manual

Rotate and Rewrap Encryption Keys旋转和改写加密键

On this page本页内容

Queryable Encryption with equality queries is generally available (GA) in MongoDB 7.0 and later. 具有相等查询的可查询加密在MongoDB 7.0及更高版本中通常可用(GA)。The Queryable Encryption Public Preview, released in version 6.0, is no longer supported. Data encrypted using the Public Preview is incompatible with the feature release. 不再支持6.0版本中发布的“可查询加密预览”。使用公共预览加密的数据与功能版本不兼容。For more information, see Compatibility Changes in MongoDB 7.0.有关更多信息,请参阅MongoDB 7.0中的兼容性更改

In this guide, you can learn how to manage your encryption keys with a Key Management System (KMS) in your application.在本指南中,您可以了解如何使用应用程序中的键管理系统(KMS)管理加密键。

Overview概述

This procedure shows you how to rotate encryption keys for Queryable Encryption using mongosh. Rotating DEKs consists of rewrapping them with a new Customer Master Key, so the terms "rotate" and "rewrap" are sometimes used interchangeably.此过程向您展示如何使用mongosh旋转可查询加密的加密键。旋转DEK包括用新的客户主键重写它们,因此术语“旋转”和“重写”有时可以互换使用。

After completing this guide, you should be able to rotate your Customer Master Key (CMK) on your Key Management System, and then rewrap existing DEKs in your Key Vault collection with your new CMK.完成本指南后,您应该能够在键管理系统上轮换客户主键(CMK),然后用新的CMK重写键库集合中的现有DEK

Warning

As you rotate keys, confirm that they aren't used to encrypt any keys or data before deleting them. If you delete a DEK, all fields encrypted with that DEK become permanently unreadable. 在旋转键时,请确认它们未用于加密任何键或数据,然后再删除它们。如果删除一个DEK,则使用该DEK加密的所有字段都将永久不可读。If you delete a CMK, all fields encrypted with a DEK using that CMK become permanently unreadable.如果删除CMK,则使用该CMK使用DEK加密的所有字段都将永久不可读。

Related Information相关信息

For a detailed explanation of the concepts included in this procedure, refer to the topics below.有关此过程中包含的概念的详细说明,请参阅以下主题。

To learn more about keys and key vaults, see Keys and Key Vaults. 若要了解有关链和键库的详细信息,请参阅键和键库To view a list of supported KMS providers, see the KMS Providers page.要查看受支持的KMS提供程序的列表,请参阅KMS提供器页面。

For tutorials detailing how to set up a Queryable Encryption enabled application with each of the supported KMS providers, see the following pages:有关详细说明如何使用每个受支持的KMS提供程序设置启用可查询加密的应用程序的教程,请参阅以下页面:

Procedure过程

1

Rotate your Customer Master Key on your Key Management System在键管理系统上轮换客户主键

The process for rotating your CMK depends on your KMS. For details, refer to your key provider's documentation:旋转CMK的过程取决于您的KMS。有关详细信息,请参阅键提供商的文档:

Once you rotate the CMK, MongoDB uses it to wrap all new DEKs. To re-wrap existing DEKs, continue to the following steps.一旦旋转CMK,MongoDB就会使用它来包装所有新的DEK。要重新包装现有的DEK,请继续执行以下步骤。

2

Rotate your Data Encryption Keys using KeyVault.rewrapManyDataKey()使用KeyVault.rewrapManyDataKey()旋转数据加密键

The KeyVault.rewrapManyDataKey() method automatically decrypts multiple Data Encryption Keys and re-encrypts them using the specified CMK. It then updates the keys in the Key Vault collection.KeyVault.rewrapManyDataKey()方法会自动解密多个数据加密键,并使用指定的CMK对其进行重新加密。然后,它会更新“键库”集合中的键。

The method has the following syntax:

let keyVault = db.getMongo().getKeyVault()

keyVault.rewrapManyDataKey(
   {
      "<Query filter document>"
   },
   {
      provider: "<KMS provider>",
      masterKey: {
         "<dataKeyOpts Key>" : "<dataKeyOpts Value>"
      }
   }
)
  1. Specify a query filter document to select the keys to rotate, or omit the argument to rotate all keys in the Key Vault collection指定查询筛选器文档以选择要旋转的键,或省略参数以旋转键库集合中的所有键

    If you specify a query filter document, but no keys match, then no keys rotate.如果指定了查询筛选文档,但没有匹配的键,则没有旋转的键。

  2. Specify the KMS provider指定KMS提供程序
  3. Specify the masterKey using the new CMK, or omit the argument to rotate keys using their existing CMK使用新CMK指定masterKey,或省略参数以使用现有CMK旋转关键帧

Your DEKs themselves are left unchanged after re-wrapping them with the new CMK. The key rotation process is seamless, and does not interrupt your application.在使用新的CMK重新包装DEK后,DEK本身保持不变。键轮换过程是无缝的,不会中断您的应用程序。