This documentation is for the end of life version of Percona Server for MongoDB and is no longer supported. You may want to see the current documentation.
Data at Rest Encryption¶
Data at rest encryption for the WiredTiger storage engine in MongoDB was introduced in MongoDB Enterprise version 3.2. to ensure that encrypted data files can be decrypted and read by parties with the decryption key.
Differences from Upstream
The data encryption at rest in Percona Server for MongoDB is introduced in version 3.6 to be compatible with data encryption at rest in MongoDB. In the current release of Percona Server for MongoDB, the data encryption at rest does not include support for KMIP, or Amazon AWS key management services. Instead, Percona Server for MongoDB is integrated with HashiCorp Vault for key management services.
Two types of keys are used for data at rest encryption:
Database keys to encrypt data. They are stored internally, near the data that they encrypt.
The master key to encrypt database keys. It is kept separately from the data and database keys and requires external management.
To manage the master key, use one of the supported key management options:
Integration with an external key server (recommended). Percona Server for MongoDB is integrated with HashiCorp Vault for this purpose.
Local key management using a keyfile.
Note that you can use only one of the key management options at a time. However, you can switch from one management option to another (e.g. from a keyfile to HashiCorp Vault). Refer to Migrating from Key File Encryption to HashiCorp Vault Encryption section for details.
Important
You can only enable data at rest encryption and provide all encryption settings on an empty database, when you start the mongod instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and / or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must be the same.
Important Configuration Options
Percona Server for MongoDB supports the encryptionCipherMode option where you choose one of the following cipher modes:
AES256-CBC
AES256-GCM
By default, the AES256-CBC cipher mode is applied. The following example demonstrates how to apply the AES256-GCM cipher mode when starting the mongod service:
$ mongod ... --encryptionCipherMode AES256-GCM
See also
- MongoDB Documentation: encryptionCipherMode Option
https://docs.mongodb.com/manual/reference/program/mongod/#cmdoption-mongod-encryptionciphermode
HashiCorp Vault Integration¶
Starting from version 3.6.13-3.3, Percona Server for MongoDB provides HashiCorp Vault integration. HashiCorp Vault supports different secrets engines. Percona Server for MongoDB only supports the HashiCorp Vault back end with KV Secrets Engine - Version 2 (API) with versioning enabled.
See also
- Percona Blog: Using Vault to Store the Master Key for Data at Rest Encryption on Percona Server for MongoDB
- How to configure the KV Engine:
HashiCorp Vault Parameters
Command line |
Config file |
Type |
Description |
|---|---|---|---|
vaultServerName |
security.vault.serverName |
string |
The IP address of the Vault server |
vaultPort |
security.vault.port |
int |
The port on the Vault server |
vaultTokenFile |
security.vault.tokenFile |
string |
The path to the vault token file. The token file is used by MongoDB to access HashiCorp Vault. The vault token file consists of the raw vault token and does not include any additional strings or parameters. Example of a vault token file: s.uTrHtzsZnEE7KyHeA797CkWA
|
vaultSecret |
security.vault.secret |
string |
The path to the vault secret. Note that vault secrets path format must be: <vault_secret_mount>/data/<custom_path>
where:
Example: secret_v2/data/psmdb-test/rs1-27017
Note It is recommended to use different secret paths for every database node. |
vaultRotateMasterKey |
security.vault.rotateMasterKey |
switch |
Enables master key rotation |
vaultServerCAFile |
security.vault.serverCAFile |
string |
The path to the TLS certificate file |
vaultDisableTLSForTesting |
security.vault.disableTLSForTesting |
switch |
Disables secure connection to HashiCorp Vault using SSL/TLS client certificates |
Config file example
security: enableEncryption: true vault: serverName: 127.0.0.1 port: 8200 tokenFile: /home/user/path/token secret: secret/data/hello
During the first run of the Percona Server for MongoDB, the process generates a secure key and writes the key to the vault.
During the subsequent start, the server tries to read the master key from the vault. If the configured secret does not exist, vault responds with HTTP 404 error.
Key Rotation¶
Key rotation is replacing the old master key with a new one. This process helps to comply with regulatory requirements.
To rotate the keys for a single mongod instance, do the following:
Stop the
mongodprocessAdd
--vaultRotateMasterKeyoption via the command line orsecurity.vault.rotateMasterKeyto the config file.Run the
mongodprocess with the selected option, the process will perform the key rotation and exit.Remove the selected option from the startup command or the config file.
Start
mongodagain.
Rotating the master key process also re-encrypts the keystore using the new master key. The new master key is stored in the vault. The entire dataset is not re-encrypted.
For a replica set, the steps are the following:
Rotate the master key for the secondary nodes one by one.
Step down the primary and wait for another primary to be elected.
Rotate the master key for the previous primary node.
Local key management using a keyfile¶
The key file must contain a 32 character string encoded in base64. You can generate a random key and save it to a file by using the openssl command:
$ openssl rand -base64 32 > mongodb-keyfile
Then, as the owner of the mongod process, update the file permissions: only
the owner should be able to read and modify this file. The effective permissions specified with the chmod command can be:
600 - only the owner may read and modify the file
400 - only the owner may read the file.
$ chmod 600 mongodb-keyfile
Enable the data encryption at rest in Percona Server for MongoDB by setting these options:
--enableEncryptionto enable data at rest encryption--encryptionKeyFileto specify the path to a file that contains the encryption key
$ mongod ... --enableEncryption --encryptionKeyFile <fileName>
By default, Percona Server for MongoDB uses the AES256-CBC cipher mode. If you want to use the AES256-GCM cipher mode, then use the encryptionCipherMode parameter to change it.
If mongod is started with the --relaxPermChecks option and the key file
is owned by root then mongod can read the file based on the
group bit set accordingly. The effective key file permissions in this
case are:
440 - both the owner and the group can only read the file, or
640 - only the owner can read and the change the file, the group can only read the file.
See also
- MongoDB Documentation: Configure Encryption
https://docs.mongodb.com/manual/tutorial/configure-encryption/#local-key-management
- Percona Blog: WiredTiger Encryption at Rest with Percona Server for MongoDB
https://www.percona.com/blog/2018/11/01/wiredtiger-encryption-at-rest-percona-server-for-mongodb/
All these options can be specified in the configuration file:
security:
enableEncryption: <boolean>
encryptionCipherMode: <string>
encryptionKeyFile: <string>
relaxPermChecks: <boolean>
See also
- MongoDB Documentation: How to set options in a configuration file
https://docs.mongodb.com/manual/reference/configuration-options/index.html#configuration-file
Encrypting Rollback Files¶
Starting from version 3.6, Percona Server for MongoDB also encrypts rollback files when data at rest encryption is enabled. To inspect the contents of these files, use perconadecrypt. This is a tool that you run from the command line as follows:
$ perconadecrypt --encryptionKeyFile FILE --inputPath FILE --outputPath FILE [--encryptionCipherMode MODE]
When decrypting, the cipher mode must match the cipher mode which was used for
the encryption. By default, the --encryptionCipherMode option uses the
AES256-CBC mode.
Parameters of perconadecrypt
Option |
Purpose |
|---|---|
–encryptionKeyFile |
The path to the encryption key file |
–encryptionCipherMode |
The cipher mode for decryption. The supported values are AES256-CBC or AES256-GCM |
–inputPath |
The path to the encrypted rollback file |
–outputPath |
The path to save the decrypted rollback file |
Migrating from Key File Encryption to HashiCorp Vault Encryption¶
The steps below describe how to migrate from the key file encryption to using HashiCorp Vault.
Note
This is a simple guideline and it should be used for testing purposes only. We recommend to use Percona Consulting Services to assist you with migration in production environment.
Assumptions
We assume that you have installed and configured the vault server and enabled the KV Secrets Engine as the secrets storage for it.
Stop
mongod.$ sudo systemctl stop mongod
Insert the key from keyfile into the HashiCorp Vault server to the desired secret path.
# Retrieve the key value from the keyfile $ sudo cat /data/key/mongodb.key d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw= # Insert the key into vault $ vault kv put secret/dc/psmongodb1 value=d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw=
Note
Vault KV Secrets Engine uses different read and write secrets paths. To insert data to vault, specify the secret path without the
data/prefix.Edit the configuration file to provision the HashiCorp Vault configuration options instead of the key file encryption options.
security: enableEncryption: true vault: serverName: 10.0.2.15 port: 8200 secret: secret/data/dc/psmongodb1 tokenFile: /etc/mongodb/token serverCAFile: /etc/mongodb/vault.crt
Start the
mongodservice$ sudo systemctl start mongod