Data at Rest Encryption

Data at rest encryption for the WiredTiger storage engine in MongoDB was introduced in MongoDB Enterprise version 3.2 to ensure that encrypted data files can be decrypted and read by parties with the decryption key.

Differences from Upstream

The data encryption at rest in Percona Server for MongoDB is introduced in version 3.6 to be compatible with data encryption at rest interface in MongoDB. In the current release of Percona Server for MongoDB, the data encryption at rest does not include support for KMIP, or Amazon AWS key management services.

Two types of keys are used for data at rest encryption:

  • Database keys to encrypt data. They are stored internally, near the data that they encrypt.
  • The master key to encrypt database keys. It is kept separately from the data and database keys and requires external management.

To manage the master key, use one of the supported key management options:

  • Integration with an external key server (recommended). Percona Server for MongoDB is integrated with HashiCorp Vault for this purpose.
  • Local key management using a keyfile.

Note that you can use only one of the key management options at a time. However, you can switch from one management option to another (e.g. from a keyfile to HashiCorp Vault). Refer to Migrating from Key File Encryption to HashiCorp Vault Encryption section for details.

Important

You can only enable data at rest encryption and provide all encryption settings on an empty database, when you start the mongod instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and / or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must be the same.

Important Configuration Options

Percona Server for MongoDB supports the encryptionCipherMode option where you choose one of the following cipher modes:

  • AES256-CBC
  • AES256-GCM

By default, the AES256-CBC cipher mode is applied. The following example demonstrates how to apply the AES256-GCM cipher mode when starting the mongod service:

$ mongod ... --encryptionCipherMode AES256-GCM

HashiCorp Vault Integration

Percona Server for MongoDB is integrated with HashiCorp Vault. HashiCorp Vault supports different secrets engines. Percona Server for MongoDB only supports the HashiCorp Vault back end with KV Secrets Engine - Version 2 (API) with versioning enabled.

See also

Percona Blog: Using Vault to Store the Master Key for Data at Rest Encryption on Percona Server for MongoDB
https://www.percona.com/blog/2020/04/21/using-vault-to-store-the-master-key-for-data-at-rest-encryption-on-percona-server-for-mongodb/
How to configure the KV Engine:
https://www.vaultproject.io/api/secret/kv/kv-v2.html

HashiCorp Vault Parameters

Command line Config file Type Description
vaultServerName security.vault.serverName string The IP address of the Vault server
vaultPort security.vault.port int The port on the Vault server
vaultTokenFile security.vault.tokenFile string

The path to the vault token file. The token file is used by MongoDB to access HashiCorp Vault. The vault token file consists of the raw vault token and does not include any additional strings or parameters.

Example of a vault token file:

s.uTrHtzsZnEE7KyHeA797CkWA
vaultSecret security.vault.secret string

The path to the vault secret. Note that vault secrets path format must be:

<vault_secret_mount>/data/<custom_path>

where:

  • <vault_secret_mount> is your Vault KV Secrets Engine;
  • data is the mandatory path prefix required by Version 2 API;
  • <custom_path> is your secrets path

Example:

secret_v2/data/psmdb-test/rs1-27017

Note

It is recommended to use different secret paths for every database node.

vaultRotateMasterKey security.vault.rotateMasterKey switch Enables master key rotation
vaultServerCAFile security.vault.serverCAFile string The path to the TLS certificate file
vaultDisableTLSForTesting security.vault.disableTLSForTesting switch Disables secure connection to HashiCorp Vault using SSL/TLS client certificates

Config file example

security:
  enableEncryption: true
  vault:
    serverName: 127.0.0.1
    port: 8200
    tokenFile: /home/user/path/token
    secret: secret/data/hello

During the first run of the Percona Server for MongoDB, the process generates a secure key and writes the key to the vault.

During the subsequent start, the server tries to read the master key from the vault. If the configured secret does not exist, vault responds with HTTP 404 error.

Key Rotation

Key rotation is replacing the old master key with a new one. This process helps to comply with regulatory requirements.

To rotate the keys for a single mongod instance, do the following:

  1. Stop the mongod process
  2. Add --vaultRotateMasterKey option via the command line or security.vault.rotateMasterKey to the config file.
  3. Run the mongod process with the selected option, the process will perform the key rotation and exit.
  4. Remove the selected option from the startup command or the config file.
  5. Start mongod again.

Rotating the master key process also re-encrypts the keystore using the new master key. The new master key is stored in the vault. The entire dataset is not re-encrypted.

For a replica set, the steps are the following:

  1. Rotate the master key for the secondary nodes one by one.
  2. Step down the primary and wait for another primary to be elected.
  3. Rotate the master key for the previous primary node.

Local key management using a keyfile

The key file must contain a 32 character string encoded in base64. You can generate a random key and save it to a file by using the openssl command:

$ openssl rand -base64 32 > mongodb-keyfile

Then, as the owner of the mongod process, update the file permissions: only the owner should be able to read and modify this file. The effective permissions specified with the chmod command can be:

  • 600 - only the owner may read and modify the file
  • 400 - only the owner may read the file.
$ chmod 600 mongodb-keyfile

Enable the data encryption at rest in Percona Server for MongoDB by setting these options:

  • --enableEncryption to enable data at rest encryption
  • --encryptionKeyFile to specify the path to a file that contains the encryption key
$ mongod ... --enableEncryption --encryptionKeyFile <fileName>

By default, Percona Server for MongoDB uses the AES256-CBC cipher mode. If you want to use the AES256-GCM cipher mode, then use the encryptionCipherMode parameter to change it.

If mongod is started with the --relaxPermChecks option and the key file is owned by root, then mongod can read the file based on the group bit set accordingly. The effective key file permissions in this case are:

  • 440 - both the owner and the group can only read the file, or
  • 640 - only the owner can read and the change the file, the group can only

read the files.

See also

MongoDB Documentation: Configure Encryption
https://docs.mongodb.com/manual/tutorial/configure-encryption/#local-key-management
Percona Blog: WiredTiger Encryption at Rest with Percona Server for MongoDB
https://www.percona.com/blog/2018/11/01/wiredtiger-encryption-at-rest-percona-server-for-mongodb/

All these options can be specified in the configuration file:

security:
   enableEncryption: <boolean>
   encryptionCipherMode: <string>
   encryptionKeyFile: <string>
   relaxPermChecks: <boolean>

See also

MongoDB Documentation: How to set options in a configuration file
https://docs.mongodb.com/manual/reference/configuration-options/index.html#configuration-file

Encrypting Rollback Files

Starting from version 3.6, Percona Server for MongoDB also encrypts rollback files when data at rest encryption is enabled. To inspect the contents of these files, use perconadecrypt. This is a tool that you run from the command line as follows:

$ perconadecrypt --encryptionKeyFile FILE  --inputPath FILE --outputPath FILE [--encryptionCipherMode MODE]

When decrypting, the cipher mode must match the cipher mode which was used for the encryption. By default, the --encryptionCipherMode option uses the AES256-CBC mode.

Parameters of perconadecrypt

Option Purpose
–encryptionKeyFile The path to the encryption key file
–encryptionCipherMode The cipher mode for decryption. The supported values are AES256-CBC or AES256-GCM
–inputPath The path to the encrypted rollback file
–outputPath The path to save the decrypted rollback file

Migrating from Key File Encryption to HashiCorp Vault Encryption

The steps below describe how to migrate from the key file encryption to using HashiCorp Vault.

Note

This is a simple guideline and it should be used for testing purposes only. We recommend to use Percona Consulting Services to assist you with migration in production environment.

Assumptions

We assume that you have installed and configured the vault server and enabled the KV Secrets Engine as the secrets storage for it.

  1. Stop mongod.

    $ sudo systemctl stop mongod
    
  2. Insert the key from keyfile into the HashiCorp Vault server to the desired secret path.

    # Retrieve the key value from the keyfile
    $ sudo cat /data/key/mongodb.key
    d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw=
    # Insert the key into vault
    $ vault kv put secret/dc/psmongodb1 value=d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw=
    

    Note

    Vault KV Secrets Engine uses different read and write secrets paths. To insert data to vault, specify the secret path without the data/ prefix.

  3. Edit the configuration file to provision the HashiCorp Vault configuration options instead of the key file encryption options.

    security:
       enableEncryption: true
       vault:
          serverName: 10.0.2.15
          port: 8200
          secret: secret/data/dc/psmongodb1
          tokenFile: /etc/mongodb/token
          serverCAFile: /etc/mongodb/vault.crt
    
  4. Start the mongod service

    $ sudo systemctl start mongod
    

Contact Us

For free technical help, visit the Percona Community Forum.
To report bugs or submit feature requests, open a JIRA ticket.
For paid support and managed or professional services, contact Percona Sales.