OPTIONS

Configure Encryption

New in version 3.2.

Overview

Enterprise Feature

Available in MongoDB Enterprise only.

Important

Available for the WiredTiger Storage Engine Only.

MongoDB Enterprise 3.2 introduces a native encryption option for the WiredTiger storage engine. With storage encryption, the secure management of the encryption keys is critical.

Only the system key is external to the server and requires external management. To manage the system key, MongoDB’s encrypted storage engine supports two key management options:

  • Integration with a third party key management appliance via the Key Management Interoperability Protocol (KMIP). Recommended
  • Use of local key management via a keyfile.

The following tutorial outlines the procedures to configure MongoDB for encryption and key management.

Key Manager

MongoDB Enterprise supports secure transfer of keys with compatible key management appliances. Using a key manager allows for the keys to be stored in the key manager.

MongoDB Enterprise supports secure transfer of keys with Key Management Interoperability Protocol (KMIP) compliant key management appliances. While any appliance vendor that provides support for KMIP is expected to be compatible, MongoDB has certified against SafeNet KeySecure and Vormetric Data Security Manager (DSM).

Prerequisites

  • Your key manager must support the KMIP communication protocol, such as Vormetric DSM and Safenet KeySecure.
  • For Vormetric or Safenet, you must have a valid certificates issued by the specific appliance vendor in order to authenticate MongoDB to the KMIP server.

Encrypt Using a New Key

To create a new key, connect mongod to the key manager by starting mongod with the following options:

  • --enableEncryption,
  • --kmipServerName <KMIP Server Hostname>,
  • --kmipServerCAFile <path to KMIP Server's CA File>, and
  • --kmipClientCertificateFile <path to valid client certificate>.

Include any other options specific to your configuration.

mongod --enableEncryption --kmipServerName <KMIP Server HostName> \
  --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

This operation creates a new system key in your key manager for use by the mongod to wrap the keys mongod generates for each database.

To verify that the key creation and usage was successful, check the log file. If successful, the process will log the following messages:

[initandlisten] Created KMIP key with id: <UID>
[initandlisten] Encryption key manager initialized using system key with id: <UID>

See also

inMemory Options,

Encrypt Using an Existing Key

You can use an existing system key created and managed by your KMIP. To use an existing key, connect mongod to the key manager by starting mongod with the following options:

  • --enableEncryption,
  • --kmipServerName <KMIP Server Hostname,
  • --kmipServerCAFile <path to KMIP Server's CA File>,
  • --kmipClientCertificateFile <path to valid client certificate>, and
  • --kmipKeyIdentifier <UID>.

Include any other options specific to your configuration.

mongod --enableEncryption --kmipServerName <KMIP Server HostName> \
  --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem \
  --kmipKeyIdentifier <UID>

Important

If data is already encrypted with a key, you must specify that key’s <UID> for the --kmipKeyIdentifier option. Otherwise, MongoDB will not start and log an error.

See also

inMemory Options

Local Key Management

Important

Using the keyfile method does not meet most regulatory key management guidelines and requires users to securely manage their own keys.

The safe management of the keyfile is critical.

To encrypt using a keyfile, you must have a base64 encoded keyfile that contains a 16 or 32 character string. The keyfile must only be accessible by the owner of the mongod process.

  1. Create the base64 encoded keyfile with the 16 or 32 character string. You can generate the encoded keyfile using any method you prefer. For example,

    openssl rand -base64 32 > mongodb-keyfile
    
  2. Update the file permissions.

    chmod 600 mongodb-keyfile
    
  3. To use the key file, start mongod with the following options:

    • --enableEncryption,
    • --encryptionKeyFile <path to keyfile>,
    mongod --enableEncryption --encryptionKeyFile  mongodb-keyfile
    
  4. Verify if the encryption key manager successfully initialized with the keyfile. If the operation was successful, the process will log the following message:

    [initandlisten] Encryption key manager initialized using system key with id:
    

See also

inMemory Options

Was this page helpful?

Yes No

Thank you for your feedback!

We're sorry! You can Report a Problem to help us improve this page.