Data at Rest Encryption¶
Data at rest encryption for the WiredTiger storage engine in MongoDB was introduced in MongoDB Enterprise version 3.2 to ensure that encrypted data files can be decrypted and read by parties with the decryption key.
- MongoDB Documentation: Encryption at Rest
Differences from Upstream
The data encryption at rest in Percona Server for MongoDB is introduced in version 3.6 to be compatible with data encryption at rest interface in MongoDB. In the current release of Percona Server for MongoDB, the data encryption at rest does not include support for KMIP, or Amazon AWS key management services.
Two types of keys are used for data at rest encryption:
- Database keys to encrypt data. They are stored internally, near the data that they encrypt.
- The master key to encrypt database keys. It is kept separately from the data and database keys and requires external management.
To manage the master key, use one of the supported key management options:
- Integration with an external key server (recommended). Percona Server for MongoDB is integrated with HashiCorp Vault for this purpose.
- Local key management using a keyfile.
Note that you can use only one of the key management options at a time. However, you can switch from one management option to another (e.g. from a keyfile to HashiCorp Vault). Refer to Migrating from Key File Encryption to HashiCorp Vault Encryption section for details.
You can only enable data at rest encryption and provide all encryption settings on an empty database, when you start the
mongod instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and / or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must be the same.
Important Configuration Options
Percona Server for MongoDB supports the
encryptionCipherMode option where you choose one of the following cipher modes:
By default, the AES256-CBC cipher mode is applied. The following example demonstrates how to apply the AES256-GCM cipher mode when starting the mongod service:
$ mongod ... --encryptionCipherMode AES256-GCM
- MongoDB Documentation: encryptionCipherMode Option
Percona Server for MongoDB is integrated with HashiCorp Vault. HashiCorp Vault supports different secrets engines. Percona Server for MongoDB only supports the HashiCorp Vault back end with KV Secrets Engine - Version 2 (API) with versioning enabled.
- Percona Blog: Using Vault to Store the Master Key for Data at Rest Encryption on Percona Server for MongoDB
- How to configure the KV Engine:
HashiCorp Vault Parameters
|Command line||Config file||Type||Description|
|vaultServerName||security.vault.serverName||string||The IP address of the Vault server|
|vaultPort||security.vault.port||int||The port on the Vault server|
The path to the vault token file. The token file is used by MongoDB to access HashiCorp Vault. The vault token file consists of the raw vault token and does not include any additional strings or parameters.
Example of a vault token file:
The path to the vault secret. Note that vault secrets path format must be:
It is recommended to use different secret paths for every database node.
|vaultRotateMasterKey||security.vault.rotateMasterKey||switch||Enables master key rotation|
|vaultServerCAFile||security.vault.serverCAFile||string||The path to the TLS certificate file|
|vaultDisableTLSForTesting||security.vault.disableTLSForTesting||switch||Disables secure connection to HashiCorp Vault using SSL/TLS client certificates|
Config file example
security: enableEncryption: true vault: serverName: 127.0.0.1 port: 8200 tokenFile: /home/user/path/token secret: secret/data/hello
During the first run of the Percona Server for MongoDB, the process generates a secure key and writes the key to the vault.
During the subsequent start, the server tries to read the master key from the vault. If the configured secret does not exist, vault responds with HTTP 404 error.
Key rotation is replacing the old master key with a new one. This process helps to comply with regulatory requirements.
To rotate the keys for a single
mongod instance, do the following:
- Stop the
--vaultRotateMasterKeyoption via the command line or
security.vault.rotateMasterKeyto the config file.
- Run the
mongodprocess with the selected option, the process will perform the key rotation and exit.
- Remove the selected option from the startup command or the config file.
Rotating the master key process also re-encrypts the keystore using the new master key. The new master key is stored in the vault. The entire dataset is not re-encrypted.
For a replica set, the steps are the following:
- Rotate the master key for the secondary nodes one by one.
- Step down the primary and wait for another primary to be elected.
- Rotate the master key for the previous primary node.
The key file must contain a 32 character string encoded in base64. You can generate a random key and save it to a file by using the openssl command:
$ openssl rand -base64 32 > mongodb-keyfile
Then, as the owner of the
mongod process, update the file permissions: only
the owner should be able to read and modify this file. The effective permissions
specified with the
chmod command can be:
- 600 - only the owner may read and modify the file
- 400 - only the owner may read the file.
$ chmod 600 mongodb-keyfile
Enable the data encryption at rest in Percona Server for MongoDB by setting these options:
--enableEncryptionto enable data at rest encryption
--encryptionKeyFileto specify the path to a file that contains the encryption key
$ mongod ... --enableEncryption --encryptionKeyFile <fileName>
By default, Percona Server for MongoDB uses the
AES256-CBC cipher mode. If you want to use the
AES256-GCM cipher mode, then use the
encryptionCipherMode parameter to change it.
mongod is started with the
--relaxPermChecks option and the key file
is owned by
mongod can read the file based on the
group bit set accordingly. The effective key file permissions in this
- 440 - both the owner and the group can only read the file, or
- 640 - only the owner can read and the change the file, the group can only read the file.
- MongoDB Documentation: Configure Encryption
- Percona Blog: WiredTiger Encryption at Rest with Percona Server for MongoDB
All these options can be specified in the configuration file:
security: enableEncryption: <boolean> encryptionCipherMode: <string> encryptionKeyFile: <string> relaxPermChecks: <boolean>
- MongoDB Documentation: How to set options in a configuration file
Starting from version 3.6, Percona Server for MongoDB also encrypts rollback files when data at rest encryption is enabled. To inspect the contents of these files, use perconadecrypt. This is a tool that you run from the command line as follows:
$ perconadecrypt --encryptionKeyFile FILE --inputPath FILE --outputPath FILE [--encryptionCipherMode MODE]
When decrypting, the cipher mode must match the cipher mode which was used for
the encryption. By default, the
--encryptionCipherMode option uses the
Parameters of perconadecrypt
|–encryptionKeyFile||The path to the encryption key file|
|–encryptionCipherMode||The cipher mode for decryption. The supported values are AES256-CBC or AES256-GCM|
|–inputPath||The path to the encrypted rollback file|
|–outputPath||The path to save the decrypted rollback file|
The steps below describe how to migrate from the key file encryption to using HashiCorp Vault.
This is a simple guideline and it should be used for testing purposes only. We recommend to use Percona Consulting Services to assist you with migration in production environment.
We assume that you have installed and configured the vault server and enabled the KV Secrets Engine as the secrets storage for it.
$ sudo systemctl stop mongod
Insert the key from keyfile into the HashiCorp Vault server to the desired secret path.
# Retrieve the key value from the keyfile $ sudo cat /data/key/mongodb.key d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw= # Insert the key into vault $ vault kv put secret/dc/psmongodb1 value=d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw=
Vault KV Secrets Engine uses different read and write secrets paths. To insert data to vault, specify the secret path without the
Edit the configuration file to provision the HashiCorp Vault configuration options instead of the key file encryption options.
security: enableEncryption: true vault: serverName: 10.0.2.15 port: 8200 secret: secret/data/dc/psmongodb1 tokenFile: /etc/mongodb/token serverCAFile: /etc/mongodb/vault.crt
$ sudo systemctl start mongod