We really enjoyed presenting Percona Server for MongoDB’s data-at-rest encryption functionality. The webinar Percona Server for MongoDB Data-at-Rest Encryption was recorded and can be viewed here at any time. We had several great questions, which we would like to address with everyone and help further elaborate on the answers given during the webinar.
Q: Where can you keep encryption keys for Percona Server for MongoDB?
A: You can store them locally on the server where mongod process runs or separately, in an external secret manager. Percona Server for MongoDB supports integration with Hashicorp Vault. From the security perspective, it is recommended to store the encryption key outside of the server that it secures. We have a blog post that describes how to configure Vault to work with Percona Server for MongoDB.
Q: Does Percona Monitoring and Management (PMM) support slow queries for Percona Server for MongoDB?
A: Yes, PMM supports query analytics for MongoDB (both Percona Server for MongoDB and MongoDB Community Edition) since version 3.2. The Query Analytics dashboard shows how queries are executed and where they spend their time. It helps you analyze database queries over time, optimize database performance, and find and remedy the source of problems.
Q: Is data-at-rest encryption supported for any versions before Percona Server for MongoDB 4.0?
A: Yes, Percona Server for MongoDB supports Wired Tiger data-at-rest encryption since version 3.6.
Q: Is Hashicorp Vault supported in Percona Server for MongoDB 3.6?
A: Yes, Hashicorp Vault integration was introduced in version 4.0.10 of Percona Server for MongoDB and then backported to 3.6.13.
Q: Do we have any documents for how to implement data-at-rest encryption for Percona Server for MongoDB?
A: This documentation shows how to enable data-at-rest encryption for Percona Server for MongoDB and this blog post here shows how to configure Hashicorp Vault to work with Percona Server for MongoDB.
Q: Do you need a separate master key for each member in a replica set or sharded cluster?
A: No, it’s not mandatory, however, from the security perspective it’s strongly recommended to have a separate master key for each node in your replica set or shared cluster.
Q: How would you recover your database if you lose your master key?
A: If you lose your master key, your only option to recover your database is from backup. Logical backups can be used in such cases as their encryption is handled independently from data-at-rest encryption.
Q: When you enable data-at-rest encryption, is the admin database also encrypted?
A: Yes, all databases are encrypted when encryption is enabled, effectively the MongoDB admin database is encrypted too.
Q: What are the CPU overhead implications when data-at-rest encryption is enabled?
A: The exact overhead differs use case by use case (e.g. how much data fits the memory when you read it, what datatypes do you use), but overall estimations are between 5%-10% CPU overhead with the data-at-rest encryption enabled
Q: If you have to remove all the data to enable data-at-rest encryption, does that mean that each secondary in production will then need full initial sync after restarting mongod with the new security features?
A: Yes. You would want to do this on all the secondaries first, step down the primary, and then do this on the previous primary which is now secondary.
Q: If I convert a node to Percona Server for MongoDB, can I convert it back to MongoDB Community Edition if I find a bug?
A: Yes, migration is easy in both ways, you’re not forced to stay on Percona Server for MongoDB. If you find a bug, however, we encourage you to file the bug report to our Jira, seek help on our forums, or consider getting a Support subscription if you’re environment is mission-critical. Percona Server for MongoDB is entirely based on MongoDB Community Edition codebase, thus, it’s very likely that you’ll find the same bugs in MongoDB Community Edition.
Q: How long does master key rotation take with respect to data size?
A: Data size isn’t related to the master key rotation procedure time. In accordance with the envelope encryption model, the key rotation procedure re-encrypts a keystore (the place where all database-specific keys are stored) not the dataset itself.
Q: Does Percona Server for MongoDB support AWS KMS?
A: At this time no. When such a feature is available, there will be an announcement.
Q: Does Percona Server for MongoDB support client-side encryption?
A: Yes. Client-side encryption is entirely a client (application) responsibility. If the application encrypts the data prior to storing it in Percona Server for MongoDB, there’s nothing that Percona Server for MongoDB does or does not support.