WiredTiger Encryption at Rest with Percona Server for MongoDB

WiredTiger Encryption at Rest with Percona Server for MongoDB

PREVIOUS POST
NEXT POST

wired-tiger-encryptionEncryption has become an important function in the database industry, as most companies are taking extra care to keep their data safe. It is important to keep the data safe on disk as well as when it is moving in the network. This restricts any unauthorized access to the data. These two types of protection are known as encryption at REST for the data in storage, and encryption in TRANSPORT for the data moving in the network.

In upstream MongoDB software, data encryption at rest is available – but in the Enterprise version only. So those who are using the community version and want to implement encryption at rest have to use disk level encryption or file system encryption (like LUKS or DM-crypt) to achieve the same effect. This seems to solve for encrypting the data, but it comes with the added complexity of implementing and maintaining an extra set of operations. We have seen some customers face trouble after implementing the encryption at storage level due to the bugs in the encryption software.

Now the good NEWS!

Percona Server for MongoDB now provides WiredTiger encryption at rest with Percona Server for MongoDB 3.6.8-2.0 in BETA, and it is free to use. This useful feature applies encryption to only the MongoDB data, rather than full storage encryption. More importantly, it requires very minimal steps and is easy to implement when starting the DB. This is available only for the WiredTiger engine now, and can encrypt the data with the local key management via a keyfile. We expect that future releases will support third-party key management and vaults.

How to implement encryption:

The example below shows how to implement WiredTiger encryption at rest in Percona Server for MongoDB:

Add the encryption options below into mongod.conf:

By default, Percona Server for MongoDB uses the AES256-CBC cipher mode. If you want to use the AES256-GCM cipher mode, then use the encryptionCipherMode parameter to change it. In general, CBC and GCM cipher modes work differently. CBC is faster and GCM is safer (compared to each other). I found some interesting discussion and benchmark here and here.

Create your key with openssl as below:

Now start Percona Server for MongoDB:

How to confirm that you have enabled encryption at rest in Percona Server for MongoDB:

To check whether you have enabled the encryption successfully in the database, you can use the command below to check:

Search for the string “percona_encryption_extension_init” in your log file:

Hope this helped with how to encrypt your MongoDB data with the Percona Server MongoDB 3.6.8-2.0 package. We will let you know as we make future versions support third-party key management and vaults soon!


Photo by Wayne Chan on Unsplash

PREVIOUS POST
NEXT POST

Share this post

Comments (2)

  • Nils Reply

    Great feature addition, with one caveat:
    Other than being able to check of an item during an audit, what is the value of an encrypted system when you keep the key in plain-text on the hard drive? It’s a pattern I see rather often.. With local key management it’ll probably happen that the key is stored with the data and is available at rest rendering the whole encryption moot.

    This is great to measure the impact of encryption, but in production I’d rather have some other way to supply the key (even just obtaining it from a command instead would be enough).

    November 2, 2018 at 4:51 am
  • Adam Reply

    I have the same observation as Nils. Love the feature. Wish I had integration with a key provider, and I only mention that as a story for a future release.

    November 14, 2018 at 11:32 am

Leave a Reply