Data at Rest Encryption

Data at rest encryption for the WiredTiger storage engine in MongoDB was introduced in MongoDB Enterprise version 3.2. to ensure that encrypted data files can be decrypted and read by parties with the decryption key.

Differences from Upstream

The data encryption at rest in Percona Server for MongoDB is introduced in version 3.6 to be compatible with data encryption at rest in MongoDB. In the current release of Percona Server for MongoDB, the data encryption at rest does not include support for KMIP, HashiCorp Vault or Amazon AWS key management services.

Encrypting Rollback Files

Starting from version 3.6, Percona Server for MongoDB also encrypts rollback files when data at rest encryption is enabled. To inspect the contents of these files, use perconadecrypt. This is a tool that you run from the command line as follows:

$ perconadecrypt --encryptionKeyFile FILE  --inputPath FILE --outputPath FILE [--encryptionCipherMode MODE]

When decrypting, the cipher mode must match the cipher mode which was used for the encryption. By default, the --encryptionCipherMode option uses the AES256-CBC mode.

Parameters of perconadecrypt

Option Purpose
–encryptionKeyFile The path to the encryption key file
–encryptionCipherMode The cipher mode for decryption. The supported values are AES256-CBC or AES256-GCM
–inputPath The path to the encrypted rollback file
–outputPath The path to save the decrypted rollback file

Important Configuration Options

Percona Server for MongoDB supports the encryptionCipherMode option where you choose one of the following cipher modes:

  • AES256-CBC
  • AES256-GCM

By default, the AES256-CBC cipher mode is applied. The following example demonstrates how to apply the AES256-GCM cipher mode when starting the mongod service:

$ mongod ... --encryptionCipherMode AES256-GCM

Percona Server for MongoDB also supports the options exposed by the upstream solution:

  • --enableEncryption to enable data at rest encryption
  • --encryptionKeyFile to specify the path to a file that contains the encryption key
$ mongod ... --enableEncryption --encryptionKeyFile <fileName>

The key file must contain a 32 character string encoded in base64. You can generate a random key and save it to a file by using the openssl command:

$ openssl rand -base64 32 > mongodb-keyfile

Then, as the owner of the mongod process, update the file permissions: only the owner should be able to read and modify this file:

$ chmod 600 mongodb-keyfile

All these options can be specified in the configuration file:

security:
   enableEncryption: <boolean>
   encryptionCipherMode: <string>
   encryptionKeyFile: <string>

See also

MongoDB Documentation: How to set options in a configuration file
https://docs.mongodb.com/manual/reference/configuration-options/index.html#configuration-file