Data at Rest Encryption

Availability:This feature is considered BETA quality. Do not use the data at rest encryption in a production environment.

Data at rest encryption for the WiredTiger storage engine in MongoDB was introduced in MongoDB Enterprise version 3.2 to ensure that encrypted data files can be decrypted and read by parties with the decryption key.



data encryption at rest in Percona Server for MongoDB will not encrypt data backups created by mongodump or mongoexport utilities, AuditLog, general log and diagnostic data. Hot backups, however, are encrypted.

Differences from Upstream

Although the data encryption at rest in Percona Server for MongoDB accepts similar options as MongoDB Enterprise with data encryption at rest, the Percona Server for MongoDB binary is not a drop-in replacement of mongod from MongoDB Enterprise. In the current release of Percona Server for MongoDB, the data encryption at rest does not include support for KMIP, HashiCorp Vault or Amazon AWS key management services.

Important Configuration Options

Percona Server for MongoDB supports the encryptionCipherMode option where you choose one of the following cipher modes:

  • AES256-CBC
  • AES256-GCM

By default, the AES256-CBC cipher mode is applied. The following example demonstrates how to apply the AES256-GCM cipher mode when starting the mongod service:

$ mongod ... --encryptionCipherMode AES256-GCM

Percona Server for MongoDB also supports the options exposed by the upstream solution:

  • --enableEncryption to enable data at rest encryption
  • --encryptionKeyFile to specify the path to a file that contains the encryption key
$ mongod ... --enableEncryption --encryptionKeyFile <fileName>

The key file must contain a 32 character string encoded in base64. You can generate a random key and save it to a file by using the openssl command:

$ openssl rand -base64 32 > mongodb-keyfile

Then, as the owner of the mongod process, update the file permissions: only the owner should be able to read and modify this file:

$ chmod 600 mongodb-keyfile

All these options can be specified in the configuration file:

   enableEncryption: <boolean>
   encryptionCipherMode: <string>
   encryptionKeyFile: <string>

See also

MongoDB Documentation: How to set options in a configuration file