Buy Percona ServicesBuy Now!

Enabling Encryption at Rest in Percona Server for MongoDB 3.6.8

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enabling Encryption at Rest in Percona Server for MongoDB 3.6.8

    Running **Percona Server for MongoDB server version: v3.6.8-2.0**. I am attempting to enable encryption at rest using the procedure outlined in the following - see link.

    After creating my encryption key and updating the /etc/mongod.confg with the following, I restart the mongod process:

    security:
    authorization: enabled
    enableEncryption: true
    encryptionKeyFile: /deezNutz/mongodb.key

    The process immediately shuts down and I see the following in my error log:

    2018-11-14T23:09:18.057+0000 E STORAGE [initandlisten] WiredTiger error (-31802) [1542236958:57406][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: unable to read root page from file:WiredTiger.wt: WT_ERROR: non-specific WiredTiger error
    2018-11-14T23:09:18.057+0000 E STORAGE [initandlisten] WiredTiger error (0) [1542236958:57447][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: WiredTiger has failed to open its metadata
    2018-11-14T23:09:18.057+0000 E STORAGE [initandlisten] WiredTiger error (0) [1542236958:57460][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: This may be due to the database files being encrypted, being from an older version or due to corruption on disk
    2018-11-14T23:09:18.057+0000 E STORAGE [initandlisten] WiredTiger error (0) [1542236958:57473][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: You should confirm that you have opened the database with the correct options including all encryption and compression options
    2018-11-14T23:09:18.058+0000 E - [initandlisten] Assertion: 28595:-31802: WT_ERROR: non-specific WiredTiger error src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp 437
    2018-11-14T23:09:18.064+0000 I STORAGE [initandlisten] exception in initAndListen: Location28595: -31802: WT_ERROR: non-specific WiredTiger error, terminating

    If I change `enableEncryption` to "false", the engine starts right up and no errors.

    It doesn't look like I'm missing a step.

    Confused,
    Adam
    Percona Server for MongoDB now provides WiredTiger encryption at rest with PSMDB 3.6.8-2.0 in BETA, and it is free to use.

  • #2
    Hi Adam,

    the thing with data at rest encryption is that it needs to be enabled the first time the server starts.
    You can't start server without encryption, add some data, stop the server then enable encryption and start the server again and it seems to me this is what you are trying to do.
    You'll need to migrate your data to encrypted instance either by adding a new mongo replica set instances with encryption enabled or some other way.
    If this is on ubuntu/debian it might be that the server is started right after the packages are installed (on fresh installation) and in that case you'll need to stop it, clean data directory (only in case of fresh installation), enable encryption options and start server again - this looks like a good documentation fix candidate to me.

    Kind regards,
    Tomislav

    Comment

    Working...
    X