Skip to content

Instantly share code, notes, and snippets.

Last active April 18, 2022 18:08
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
MongoDB Client-Side Field Level Encryption Quickstart Part 1

Client-Side Field Level Encryption Quickstart Part 1

Note: See KMS Best Practices guide for more specific guidance:

You should work to ensure that the corresponding key policies follow a model of least privilege. This includes ensuring that you do NOT include kms:* permissions in an IAM policy.

Note: This tutorial will create both an AWS KMS master key as well as a local key. If planning to use only a local key, skip to Step 4.

1. Create a project-specific Master Key

  • In the AWS management console, create a project-specific master key:
    • Key Management Service (KMS) / Customer managed keys / Create a key
    • Customer managed key
    • Alias (ex.): proj01-kms-client-master-key01
    • Advanced options
      • [ x ] KMS (recommended for auto-rotation, but external or CloudHSM can be selected instead)
  • Add Tag key/value: (optional)
  • Key administrators:
    • (leave blank for now)
  • Key deletion
    • [ x ] Allow key administrators to delete this key (optional)
  • Define key usage permissions:
    • (leave blank for now)
  • Review and edit key policy:
    • (the default policy should restrict usage to the current admin for kms actions only)
  • Finish
  • Review key summary and copy & save key ARN value:
    • Ex: arn:aws:kms:us-east-1:1234:key/abcd-abcd-012345

2. Create a purpose-generated IAM policy for the Master Key just created

  • Idenity and Access Management (IAM) / Policies
    • Create Policy
      • Service / Choose / KMS
      • Access level
        • [ x ] Write - Decrypt
        • [ x ] Write - Encrypt
      • Resources / key
        • Specific
          • key / Add ARN
            • [ ARN value for key created above ]
          • Add
      • Review policy
      • Name: (ex.) proj01-kms-key01-encrypt-decrypt-policy
      • Create policy

3. Create a purpose-generated IAM service account to use project Master Key

  • Identity and Access Management (IAM) / Users
    • Add user
    • User name: (ex) proj01-kms-key01-encrypt-decrypt-service-account
    • [ x ] Programmatic access
  • Permissions
  • Attach existing policies directly
  • Filter: (ex) proj01
    • [ x ] (ex) proj01-kms-key01-encrypt-decrypt-policy
  • Add tags (optional)
  • Review
  • Create user
  • Secret access key / Show
    • (copy Access key ID and Secret access key, along with master key ARN from above and save)

4. Create a local Master Key file

Note: a local key file should only be used in a non-production test environment.

  • For Linux & Mac, from a terminal:
    • echo $(head -c 96 /dev/urandom | base64 | tr -d '\n')
  • For Win 8.x/2012+, from a command prompt:
    • powershell -command "$r=[byte[]]::new(96);$g=[System.Security.Cryptography.RandomNumberGenerator]::Create();$g.GetBytes($r);[Convert]::ToBase64String($r)"
Copy link

Hi Kenn, thanks for above information. is this code also tested with any other KMS provider e.g hashi-corp/GCP/Azure. not find anything definitive on CSFLE supporting this KMIP server but in your comments there is a indication that this is possible. Just trying to check - thanks in advance. There is a feature request also at mongo DB support forum

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment