DOCSP-33129 Recommend keyVersion field for dataKeyOpts with Azure KV (#4960)

nvillahermosa-mdb · web-flow · commit 569c2384b762 · 2023-10-10T15:36:41.000-04:00
* Recommended usage of keyVersion field for dataKeyOpts when using Azure as the KMS

* Moved disclaimer after table rather than within

* Externalized Azure KV warning to an include

* Fixed MongoDB to Azure KV for which performs encryption
diff --git a/source/core/queryable-encryption/fundamentals/manage-keys.txt b/source/core/queryable-encryption/fundamentals/manage-keys.txt
@@ -68,8 +68,8 @@ Procedure
       documentation:
 
       - AWS: `Rotating AWS KMS Keys <https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html>`__
-      - Azure: `Configure cryptographic key auto-rotation in Azure key
-        vault <https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation>`__
+      - Azure: `Configure cryptographic key auto-rotation in Azure Key
+        Vault <https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation>`__
       - GCP: `Rotate a key <https://cloud.google.com/kms/docs/rotate-key>`__
 
       Once you rotate the {+cmk-abbr+}, MongoDB uses it to wrap all new
diff --git a/source/includes/queryable-encryption/qe-csfle-warning-azure-keyversion.rst b/source/includes/queryable-encryption/qe-csfle-warning-azure-keyversion.rst
@@ -0,0 +1,9 @@
+.. warning::
+
+    If you do not include a ``keyVersion`` field, {+azure-kv+} attempts
+    to decrypt {+dek-long+}s using the latest {+cmk-long+}. If you
+    rotate the {+cmk-abbr+} but do not :ref:`rewrap the
+    {+dek-long+}s <qe-fundamentals-manage-keys>` with the new
+    master key, attempting to decrypt an existing {+dek-abbr+}
+    fails, since the {+dek-abbr+} is encrypted with the previous
+    version of the {+cmk-abbr+}.
diff --git a/source/includes/queryable-encryption/reference/kms-providers/azure.rst b/source/includes/queryable-encryption/reference/kms-providers/azure.rst
@@ -68,9 +68,11 @@ Azure Key Vault:
     - Name of the master key
 
   * - keyVersion
-    - No
+    - No, but strongly recommended
     - Version of the master key
 
   * - keyVaultEndpoint
     - Yes
     - URL of the key vault. E.g. myVaultName.vault.azure.net
+
+.. include:: /includes/queryable-encryption/qe-csfle-warning-azure-keyversion.rst
diff --git a/source/includes/reference/kms-providers/azure.rst b/source/includes/reference/kms-providers/azure.rst
@@ -68,9 +68,11 @@ Azure Key Vault:
     - Name of the master key
 
   * - keyVersion
-    - No
+    - No, but strongly recommended
     - Version of the master key
 
   * - keyVaultEndpoint
     - Yes
     - URL of the key vault. E.g. myVaultName.vault.azure.net
+
+.. include:: /includes/queryable-encryption/qe-csfle-warning-azure-keyversion.rst
