Skip to content

This documentation is for the end of life version of Percona Server for MongoDB and is no longer supported. You may want to see the current documentation.

Local key management using a keyfileΒΆ

The key file must contain a 32 character string encoded in base64. You can generate a random key and save it to a file by using the openssl command:

$ openssl rand -base64 32 > mongodb-keyfile

Then, as the owner of the mongod process, update the file permissions: only the owner should be able to read and modify this file. The effective permissions specified with the chmod command can be:

  • 600 - only the owner may read and modify the file

  • 400 - only the owner may read the file.

$ chmod 600 mongodb-keyfile

Enable the data encryption at rest in Percona Server for MongoDB by setting these options:

  • --enableEncryption to enable data at rest encryption

  • --encryptionKeyFile to specify the path to a file that contains the encryption key

$ mongod ... --enableEncryption --encryptionKeyFile <fileName>

By default, Percona Server for MongoDB uses the AES256-CBC cipher mode. If you want to use the AES256-GCM cipher mode, then use the encryptionCipherMode parameter to change it.

If mongod is started with the --relaxPermChecks option and the key file is owned by root, then mongod can read the file based on the group bit set accordingly. The effective key file permissions in this case are:

  • 440 - both the owner and the group can only read the file, or

  • 640 - only the owner can read and the change the file, the group can only read the file.

See also

MongoDB Documentation: Configure Encryption

https://docs.mongodb.com/manual/tutorial/configure-encryption/#local-key-management

Percona Blog: WiredTiger Encryption at Rest with Percona Server for MongoDB

https://www.percona.com/blog/2018/11/01/wiredtiger-encryption-at-rest-percona-server-for-mongodb/

All these options can be specified in the configuration file:

security:
   enableEncryption: <boolean>
   encryptionCipherMode: <string>
   encryptionKeyFile: <string>
   relaxPermChecks: <boolean>

See also

MongoDB Documentation: How to set options in a configuration file

https://docs.mongodb.com/manual/reference/configuration-options/index.html#configuration-file