Note: See KMS Best Practices guide for more specific guidance:
You should work to ensure that the corresponding key policies follow a model of least privilege. This includes ensuring that you do NOT include
kms:*
permissions in an IAM policy.
Note: This tutorial will create both an AWS KMS master key as well as a local key. If planning to use only a local key, skip to Step 4.
- In the AWS management console, create a project-specific master key:
- Key Management Service (KMS) / Customer managed keys / Create a key
- Customer managed key
- Alias (ex.):
proj01-kms-client-master-key01
- Advanced options
- [ x ] KMS (recommended for auto-rotation, but external or CloudHSM can be selected instead)
- Add Tag key/value: (optional)
- Key administrators:
- (leave blank for now)
- Key deletion
- [ x ] Allow key administrators to delete this key (optional)
- Define key usage permissions:
- (leave blank for now)
- Review and edit key policy:
- (the default policy should restrict usage to the current admin for kms actions only)
- Finish
- Review key summary and copy & save key ARN value:
- Ex:
arn:aws:kms:us-east-1:1234:key/abcd-abcd-012345
- Ex:
- Idenity and Access Management (IAM) / Policies
- Create Policy
- Service / Choose / KMS
- Access level
- [ x ] Write - Decrypt
- [ x ] Write - Encrypt
- Resources / key
- Specific
- key / Add ARN
- [ ARN value for key created above ]
- Add
- key / Add ARN
- Specific
- Review policy
- Name: (ex.)
proj01-kms-key01-encrypt-decrypt-policy
- Create policy
- Create Policy
- Identity and Access Management (IAM) / Users
- Add user
- User name: (ex)
proj01-kms-key01-encrypt-decrypt-service-account
- [ x ] Programmatic access
- Permissions
- Attach existing policies directly
- Filter: (ex)
proj01
- [ x ] (ex)
proj01-kms-key01-encrypt-decrypt-policy
- [ x ] (ex)
- Add tags (optional)
- Review
- Create user
- Secret access key / Show
- (copy Access key ID and Secret access key, along with master key ARN from above and save)
Note: a local key file should only be used in a non-production test environment.
- For Linux & Mac, from a terminal:
echo $(head -c 96 /dev/urandom | base64 | tr -d '\n')
- For Win 8.x/2012+, from a command prompt:
powershell -command "$r=[byte[]]::new(96);$g=[System.Security.Cryptography.RandomNumberGenerator]::Create();$g.GetBytes($r);[Convert]::ToBase64String($r)"
Hi Kenn, thanks for above information. is this code also tested with any other KMS provider e.g hashi-corp/GCP/Azure. not find anything definitive on CSFLE supporting this KMIP server but in your comments there is a indication that this is possible. Just trying to check - thanks in advance. There is a feature request also at mongo DB support forum
https://feedback.mongodb.com/forums/924286-drivers/suggestions/41197198-csfle-integration-with-more-kms-providers-like-h