Data at Rest Encryption

Data at rest encryption for the WiredTiger storage engine in MongoDB was introduced in MongoDB Enterprise version 3.2 to ensure that encrypted data files can be decrypted and read by parties with the decryption key.

Differences from Upstream

The data encryption at rest in Percona Server for MongoDB is introduced in version 3.6 to be compatible with data encryption at rest interface in MongoDB. In the current release of Percona Server for MongoDB, the data encryption at rest does not include support for KMIP, or Amazon AWS key management services.

HashiCorp Vault Integration

Percona Server for MongoDB is integrated with HashiCorp Vault. We only support the HashiCorp Vault back end with KV Secrets Engine - Version 2 (API) with versioning enabled.

Note that vault secrets path format must be:



  • <vault_secret_mount> is your Vault KV Secrets Engine;
  • data is the mandatory path prefix required by Version 2 API;
  • <custom_path> is your secrets path




It is recommended to use different secret paths for every database node.

See also

How to configure the KV Engine:

HashiCorp Vault Parameters

command line config file Type
vaultServerName security.vault.serverName string
vaultPort security.vault.port int
vaultTokenFile security.vault.tokenFile string
vaultSecret security.vault.secret string
vaultRotateMasterKey security.vault.rotateMasterKey switch
vaultServerCAFile security.vault.serverCAFile string
vaultDisableTLSForTesting security.vault.disableTLSForTesting switch

The vault token file consists of the raw vault token and does not include any additional strings or parameters.

On start, the server tries to read the master key from the Vault. If the configured secret does not exist, Vault responds with HTTP 404 error. During the first run of the Percona Server for MongoDB the process generates a secure key and writes the key to the Vault.

Encrypting Rollback Files

Starting from version 3.6, Percona Server for MongoDB also encrypts rollback files when data at rest encryption is enabled. To inspect the contents of these files, use perconadecrypt. This is a tool that you run from the command line as follows:

$ perconadecrypt --encryptionKeyFile FILE  --inputPath FILE --outputPath FILE [--encryptionCipherMode MODE]

When decrypting, the cipher mode must match the cipher mode which was used for the encryption. By default, the --encryptionCipherMode option uses the AES256-CBC mode.

Parameters of perconadecrypt

Option Purpose
–encryptionKeyFile The path to the encryption key file
–encryptionCipherMode The cipher mode for decryption. The supported values are AES256-CBC or AES256-GCM
–inputPath The path to the encrypted rollback file
–outputPath The path to save the decrypted rollback file

Important Configuration Options

Percona Server for MongoDB supports the encryptionCipherMode option where you choose one of the following cipher modes:

  • AES256-CBC
  • AES256-GCM

By default, the AES256-CBC cipher mode is applied. The following example demonstrates how to apply the AES256-GCM cipher mode when starting the mongod service:

$ mongod ... --encryptionCipherMode AES256-GCM

Percona Server for MongoDB also supports the options exposed by the upstream solution:

  • --enableEncryption to enable data at rest encryption
  • --encryptionKeyFile to specify the path to a file that contains the encryption key
$ mongod ... --enableEncryption --encryptionKeyFile <fileName>

The key file must contain a 32 character string encoded in base64. You can generate a random key and save it to a file by using the openssl command:

$ openssl rand -base64 32 > mongodb-keyfile

Then, as the owner of the mongod process, update the file permissions: only the owner should be able to read and modify this file. The effective permissions specified with the chmod command can be:

  • 600 - only the owner may read and modify the file, or
  • 400 - only the owner may read the file.
$ chmod 600 mongodb-keyfile

If mongod is started with the --relaxPermChecks option and the key file is owned by root, then mongod can read the file based on the group bit set accordingly. The effective key file permissions in this case are:

  • 440 - both the owner and the group can only read the file, or
  • 640 - only the owner can read and the change the file, the group can only read the file.

All these options can be specified in the configuration file:

   enableEncryption: <boolean>
   encryptionCipherMode: <string>
   encryptionKeyFile: <string>
   relaxPermChecks: <boolean>

Key Rotation

To rotate the keys for a single mongod instance, do the following:

  1. Stop mongod process
  2. Add --vaultRotateMasterKey to the command line options or security.vault.rotateMasterKey to the config file.
  3. Run the mongod process with the selected option, the process will perform the key rotation and exit.
  4. Remove the selected option from the startup command or the config file.
  5. Start mongod again.

Rotating the master key process also re-encrypts the keystore using the new master key. The new master key is stored in the vault. The entire dataset is not re-encrypted.

For a replica set, do the following steps:

  1. Rotate the master key for the secondary nodes one by one.
  2. Step down the primary and wait for another primary to be elected.
  3. Rotate the master key for the previous primary node.

See also

MongoDB Documentation: How to set options in a configuration file