Docs Menu
Docs Home
/
MongoDB Manual
/ /

Configure Encryption

On this page

  • Overview
  • Key Manager
  • Local Key Management
  • Encrypt Existing Data at Rest

New in version 3.2.

This page discusses server configuration to support encryption at rest. If you use MongoDB Atlas, your data is already encrypted. MongoDB manages Atlas encryption at the cloud provider level, but you can also use your own key management solution. See the Atlas key management documentation for details.

MongoDB Enterprise 3.2 introduces a native encryption option for the WiredTiger storage engine. Outside Atlas, encryption is only available for enterprise installations that use the WiredTiger Storage Engine.

Secure management of the encryption keys is a critical requirement for storage encryption. MongoDB uses a master key that is not stored with the MongoDB installation. Only the master key is externally managed, other keys can be stored with your MongoDB instance.

MongoDB's encrypted storage engine supports two key management options for the master key:

  • Integration with a third party key management appliance via the Key Management Interoperability Protocol (KMIP). Recommended

  • Use of local key management via a keyfile.

Important

MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data. If your MongoDB installation already has existing data, see Encrypt Existing Data at Rest for additional steps.

MongoDB Enterprise supports secure transfer of keys with compatible key management appliances. Using a key manager allows for the keys to be stored in the key manager.

MongoDB Enterprise supports secure transfer of keys with Key Management Interoperability Protocol (KMIP) compliant key management appliances. Any appliance vendor that provides support for KMIP is expected to be compatible.

For a list of MongoDB's certified partners, refer to the Partners List.

Tip

Recommended

Using a key manager meets regulatory key management guidelines, such as HIPAA, PCI-DSS, and FERPA, and is recommended over the local key management.

  • Your key manager must support the KMIP communication protocol.

  • For an integration with a third-party key management appliance using the KMIP, you should allow the following KMIP operations:

    • Create (operation_create)

    • Get (operation_get)

    • Activate (operation_activate)

  • To authenticate MongoDB to a KMIP server, you must have a valid certificate issued by the key management appliance.

Note

Changed in version 4.0

MongoDB Enterprise on Windows no longer supports AES256-GCM as a block cipher for encryption at rest. This usage is only supported on Linux.

To create a new key, connect mongod to the key manager by starting mongod with the following options:

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.

The following operation creates a new master key in your key manager which mongod uses to encrypt the keys mongod generates for each database.

mongod --enableEncryption --kmipServerName <KMIP Server HostName> \
--kmipPort <KMIP server port> --kmipServerCAFile ca.pem \
--kmipClientCertificateFile client.pem

When connecting to the KMIP server, the mongod verifies that the specified --kmipServerName matches the Subject Alternative Name SAN (or, if SAN is not present, the Common Name CN) in the certificate presented by the KMIP server. [1] If SAN is present, mongod does not match against the CN. If the hostname does not match the SAN (or CN), the mongod will fail to connect.

To verify that the key creation and usage was successful, check the log file. If successful, the process will log the following messages:

[initandlisten] Created KMIP key with id: <UID>
[initandlisten] Encryption key manager initialized using master key with id: <UID>

You can use an existing master key your KMIP server created and manages. To use an existing key, connect mongod to the key manager by starting mongod with the following options:

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.

mongod --enableEncryption --kmipServerName <KMIP Server HostName> \
--kmipPort <KMIP server port> --kmipServerCAFile ca.pem \
--kmipClientCertificateFile client.pem --kmipKeyIdentifier <UID>

When connecting to the KMIP server, the mongod verifies that the specified --kmipServerName matches the Subject Alternative Name SAN (or, if SAN is not present, the Common Name CN) in the certificate presented by the KMIP server. [1] If SAN is present, mongod does not match against the CN. If the hostname does not match the SAN (or CN), the mongod will fail to connect.

[1](1, 2) Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB supports comparison of DNS names or IP addresses. In previous versions, MongoDB only supports comparisons of DNS names.

Important

Using the keyfile method does not meet most regulatory key management guidelines and requires users to securely manage their own keys.

The safe management of the keyfile is critical.

To encrypt using a keyfile, you must have a base64 encoded keyfile that contains a single 16 or 32 character string. The keyfile must only be accessible by the owner of the mongod process.

  1. Create the base64 encoded keyfile with the 16 or 32 character string. You can generate the encoded keyfile using any method you prefer. For example,

    openssl rand -base64 32 > mongodb-keyfile
  2. Update the file permissions.

    chmod 600 mongodb-keyfile
  3. To use the key file, start mongod with the following options:

    • --enableEncryption,

    • --encryptionKeyFile <path to keyfile>,

    mongod --enableEncryption --encryptionKeyFile mongodb-keyfile

    Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.

  4. Verify if the encryption key manager successfully initialized with the keyfile. If the operation was successful, the process will log the following message:

    [initandlisten] Encryption key manager initialized with key file: <path to keyfile>

MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data.

If you are using a replica set that does have existing data, use a rolling initial sync to encrypt the data.

For example, consider a replica set with three members. The replica set is in use and holds data that you want to encrypt. These are the steps you would take to encrypt the data at rest:

1

Follow these steps to prepare the server:

  • Pick one of the secondary servers.

  • Stop mongod on the secondary server.

  • Optional: Backup the data in dbPath. If a full backup is not required, consider backing up just the diagnostic.data directory to preserve potentially-useful troubleshooting data in the event of an issue. See Full Time Diagnostic Data Capture for more information.

  • Remove the files and directories in the dbPath.

2

Start the secondary server with encryption enabled. The mongod instance creates a new keystore.

3

Import the data from the primary. Start the mongod process, specifying Replication Options as appropriate.

mongod performs an initial sync and encrypts the data during the sync up process.

4

When the first secondary has finished importing and encrypting the data, repeat the process on the other secondary mongod instances.

5

When the all the secondaries have been encrypted, step down the primary. Eligible secondaries will elect a new primary.

The old primary is now a secondary. Repeat the steps to remove the unencrypted data and then run an initial sync.

Back

Encryption at Rest