Skip to content
This documentation is for the end of life version of Percona Server for MongoDB 4.2 which is no longer supported.
Learn more about MongoDB 4.2 end of life implications. See the current documentation.
logo
Percona Server for MongoDB 4.2
Local key management using a keyfile
Initializing search
    percona/psmdb-docs
    percona/psmdb-docs
    • Home
    • Percona Server for MongoDB feature comparison
      • Overview
      • Install Percona Server for MongoDB on Debian and Ubuntu
      • Install Percona Server for MongoDB on Red Hat Enterprise Linux and derivatives
      • Install Percona Server for MongoDB from binary tarball
      • Run Percona Server for MongoDB in a Docker container
        • Percona Memory Engine
        • Hot Backup
        • $backupCursor and $backupCursorExtend aggregation stages
        • Authentication
        • Enable authentication
        • Set up LDAP authentication with SASL
        • Set up x.509 authentication and LDAP authorization
        • Setting up Kerberos authentication
        • LDAP authorization
        • Set up LDAP authentication and authorization using NativeLDAP
        • Data at rest encryption
        • HashiCorp Vault integration
        • Using the Key Management Interoperability Protocol (KMIP)
        • Local key management using a keyfile
        • Migrate from key file encryption to HashiCorp Vault encryption
      • Auditing
      • Profiling rate limit
      • Log redaction
      • Additional text search algorithm - ngram
      • Tune parameters
        • Upgrade from 4.0 to 4.2
        • Upgrade Percona Server for MongoDB
      • Uninstall Percona Server for MongoDB
      • Release notes index
      • Percona Server for MongoDB 4.2.25-25 (2024-02-08)
      • Percona Server for MongoDB 4.2.24-24 (2023-03-09)
      • Percona Server for MongoDB 4.2.23-23 (2022-11-08)
      • Percona Server for MongoDB 4.2.22-22 (2022-09-06)
      • Percona Server for MongoDB 4.2.21-21 (2022-06-29)
      • Percona Server for MongoDB 4.2.20-20 (2022-05-23)
      • Percona Server for MongoDB 4.2.19-19 (2022-03-29)
      • Percona Server for MongoDB 4.2.18-18 (2022-01-19)
      • Percona Server for MongoDB 4.2.17-17 (2021-10-11)
      • Percona Server for MongoDB 4.2.15-16 (2021-07-26)
      • Percona Server for MongoDB 4.2.14-15 (2021-05-13)
      • Percona Server for MongoDB 4.2.13-14 (2021-04-01)
      • Percona Server for MongoDB 4.2.12-13 (2021-02-03)
      • Percona Server for MongoDB 4.2.11-12 (2020-12-07)
      • Percona Server for MongoDB 4.2.10-11 (2020-11-02)
      • Percona Server for MongoDB 4.2.9-10 (2020-10-09)
      • Percona Server for MongoDB 4.2.9-9 (2020-09-03)
      • Percona Server for MongoDB 4.2.8-8 (2020-07-07)
      • Percona Server for MongoDB 4.2.7-7 (2020-06-04)
      • Percona Server for MongoDB 4.2.6-6 (2020-05-07)
      • Percona Server for MongoDB 4.2.5-5 (2020-04-02)
      • Percona Server for MongoDB 4.2.3-4 (2020-02-20)
      • Percona Server for MongoDB 4.2.2-3 (2019-12-24)
      • Percona Server for MongoDB 4.2.1-1 (2019-11-13)
      • Percona Server for MongoDB 4.2.0-1 (2019-09-09)
    • Glossary
    • Telemetry on Percona Server for MongoDB
    • Copyright and licensing
    • Trademark policy

    Local key management using a keyfile¶

    The key file must contain a 32 character string encoded in base64. You can generate a random key and save it to a file by using the openssl command:

    $ openssl rand -base64 32 > mongodb-keyfile

    Then, as the owner of the mongod process, update the file permissions: only the owner should be able to read and modify this file. The effective permissions specified with the chmod command can be:

    • 600 - only the owner may read and modify the file
    • 400 - only the owner may read the file.
    $ chmod 600 mongodb-keyfile

    Enable the data encryption at rest in Percona Server for MongoDB by setting these options:

    • --enableEncryption to enable data at rest encryption

    • --encryptionKeyFile to specify the path to a file that contains the encryption key

    $ mongod ... --enableEncryption --encryptionKeyFile <fileName>

    By default, Percona Server for MongoDB uses the AES256-CBC cipher mode. If you want to use the AES256-GCM cipher mode, then use the --encryptionCipherMode parameter to change it.

    If mongod is started with the --relaxPermChecks option and the key file is owned by root, then mongod can read the file based on the group bit set accordingly. The effective key file permissions in this case are:

    • 440 - both the owner and the group can only read the file, or
    • 640 - only the owner can read and the change the file, the group can only read the file.

    All these options can be specified in the configuration file:

    security:
   enableEncryption: <boolean>
   encryptionCipherMode: <string>
   encryptionKeyFile: <string>
   relaxPermChecks: <boolean>

    Contact Us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.

    Last update: December 8, 2022
    Created: December 8, 2022
    Back to top
    Previous Using the Key Management Interoperability Protocol (KMIP)
    Next Migrate from key file encryption to HashiCorp Vault encryption
    Percona LLC and/or its affiliates, © 2024
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better. Read more about Percona Cookie Policy.