Skip to content

Commit

Permalink
PSMDB-1441 Documented master key loss prevention (#931)
Browse files Browse the repository at this point in the history
PSMDB-1441 Documented master key loss prevention
  • Loading branch information
nastena1606 authored Nov 5, 2024
1 parent 8792c4e commit 5db9e94
Showing 1 changed file with 42 additions and 4 deletions.
46 changes: 42 additions & 4 deletions docs/vault.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,19 @@ with versioning enabled.

HashiCorp Vault Documentation: [How to configure the KV Engine](https://www.vaultproject.io/api/secret/kv/kv-v2.html)

## HashiCorp Vault Parameters

??? admonition "Version changes"

The following table lists the changes in the implementation of HashiCorp Vault integration with Percona Server for MongoDB and the versions that introduced those changes:

| Version | Description |
|-----------------|-------------|
| [6.0.5-4](release_notes/6.0.5-4.md) | Key rotation in replica sets |
| [6.0.18-15](release_notes/6.0.18-15.md) | Master key loss prevention |



## HashiCorp Vault parameters

| Command line | Configuration file | Type | Description |
| -------------------- | ------------------------- | ------ | ------------ |
Expand All @@ -22,8 +34,9 @@ with versioning enabled.
| vaultRotateMasterKey | security.vault.<br>rotateMasterKey| switch | When enabled, rotates the master key and exits |
| vaultServerCAFile | security.vault.<br>serverCAFile | string | The path to the TLS certificate file |
| vaultDisableTLSForTesting | security.vault.<br>disableTLSForTesting | switch | Disables secure connection to Vault using SSL/TLS client certificates|
| vaultCheckMaxVersions | security.vault.<br>checkMaxVersions| boolean | Verifies that the current number of secret versions has not reached the maximum, defined by the `max_versions` parameter for the secret or the secrets engine on the Vault server. If the number of versions has reached the maximum, the server logs an error and exits. Enabled by default. Available starting with version 6.0.18-15.|

**Config file example**
### Config file example

```yaml
security:
Expand All @@ -35,9 +48,25 @@ security:
secret: secret/data/hello
```
During the first run of the Percona Server for MongoDB, the process generates a secure key and writes the key to the vault.
Starting with 6.0.18-15, Percona Server for MongoDB checks the number of the secrets on the Vault server before adding a new one thus [preventing the loss of the old master key](#master-key-loss-prevention). For these checks, Percona Server for MongoDB requires read permissions for the secret’s metadata and the secrets engine configuration. You configure these permissions within the access policy on the Vault server.
During the subsequent start, the server tries to read the master key from the vault. If the configured secret does not exist, vault responds with HTTP 404 error.
Find the sample policy configuration below:
```json
path "secret/data/*" {
capabilities = ["create","read","update","delete"]
}
path "secret/metadata/*" {
capabilities = ["read"]
}
path "secret/config" {
capabilities = ["read"]
}
```

During the first run of the Percona Server for MongoDB, the process generates a new random master encryption key. Then, it wraps it into a secret and puts the latter on a Vault server at the configured path. Vault increments the value of the `current_version`, associates the resulting value with a new secret, and returns the version. Percona Server for MongoDB then saves the full path and the version in the metadata and uses them later to get the key from the Vault server.

During the subsequent start, the server tries to read the master key from the Vault. If the configured secret does not exist, Vault responds with the HTTP 404 error.

## Namespaces

Expand Down Expand Up @@ -100,3 +129,12 @@ The key rotation steps are the following:
2. Step down the primary and wait for another primary to be elected.
3. Rotate the master key for the previous primary node.


### Master key loss prevention

Starting with version 6.0.18-15, Percona Server for MongoDB checks if the number of secret versions has reached the maximum (10 by default) before adding a new master key to the Vault server as a versioned secret. You configure this number using the `max_versions` parameter on the Vault server.

If the number of secrets reaches the maximum, Percona Server for MongoDB logs an error and exits. This prevents the Vault server from dropping the oldest secret version and the encryption key it stores.

To continue, increase the maximum versions for the secret or the entire secrets engine on the Vault server, then restart Percona Server for MongoDB. To check the number of secrets on the Vault server, ensure Percona Server for MongoDB has [read permissions for the secret’s metadata and the secrets engine configuration](#config-file-example).

0 comments on commit 5db9e94

Please sign in to comment.