Skip to content
logo
Percona Server for MongoDB 5.0
Data at rest encryption
Initializing search
    percona/psmdb-docs
    percona/psmdb-docs
    • Home
    • Percona Server for MongoDB feature comparison
      • Overview
      • Installing Percona Server for MongoDB on Debian and Ubuntu
      • Installing Percona Server for MongoDB on Red Hat Enterprise Linux and CentOS
      • Installing Percona Server for MongoDB from binary tarball
      • Running Percona Server for MongoDB in a Docker Container
        • Percona Memory Engine
        • Hot Backup
        • $backupCursor and $backupCursorExtend aggregation stages
        • Authentication overview
        • Enable SCRAM authentication
        • Set up LDAP authentication with SASL
        • Set up x.509 authentication and LDAP authorization
        • Set up Kerberos authentication
        • AWS IAM authentication
        • Setting up AWS IAM authentication
        • LDAP authorization
        • Set up LDAP authentication and authorization using NativeLDAP
        • Data at rest encryption
          • Differences from upstream
          • Important configuration options
          • Encrypting rollback files
            • Parameters of perconadecrypt
        • HashiCorp Vault integration
        • Using the Key Management Interoperability Protocol (KMIP)
        • Local key management using a keyfile
        • Migrating from key file encryption to HashiCorp Vault encryption
      • Auditing
      • Profiling Rate Limit
      • Log Redaction
      • Additional text search algorithm - ngram
      • Tune parameters
        • Upgrade from 4.4 to 5.0
        • Upgrading Percona Server for MongoDB
      • Uninstall Percona Server for MongoDB
      • Percona Server for MongoDB 5.0 Release Notes
      • Percona Server for MongoDB 5.0.15-13 (2023-03-16)
      • Percona Server for MongoDB 5.0.14-12 (2022-12-08)
      • Percona Server for MongoDB 5.0.13-11 (2022-10-12)
      • Percona Server for MongoDB 5.0.11-10 (2022-09-01)
      • Percona Server for MongoDB 5.0.10-9 (2022-08-09)
      • Percona Server for MongoDB 5.0.9-8 (2022-06-20)
      • Percona Server for MongoDB 5.0.8-7 (2022-05-10)
      • Percona Server for MongoDB 5.0.7-6 (2022-04-20)
      • Percona Server for MongoDB 5.0.6-5 (2022-02-10)
      • Percona Server for MongoDB 5.0.5-4 (2021-12-28)
      • Percona Server for MongoDB 5.0.4-3 (Release Candidate) (2021-12-08)
      • Percona Server for MongoDB 5.0.3-2 (Release Candidate) (2021-10-14)
      • Percona Server for MongoDB 5.0.2-1 (Release Candidate) (2021-08-16)
    • Glossary
    • Copyright and licensing information
    • Trademark policy

    • Differences from upstream
    • Important configuration options
    • Encrypting rollback files
      • Parameters of perconadecrypt

    Data at Rest Encryption¶

    Data at rest encryption for the WiredTiger storage engine in MongoDB was introduced in MongoDB Enterprise version 3.2 to ensure that encrypted data files can be decrypted and read by parties with the decryption key.

    Differences from upstream¶

    The data encryption at rest in Percona Server for MongoDB is introduced in version 3.6 to be compatible with data encryption at rest interface in MongoDB. In the current release of Percona Server for MongoDB, the data encryption at rest does not include support for Amazon AWS key management service. Instead, Percona Server for MongoDB is integrated with HashiCorp Vault.

    Starting with release 5.0.7-6, Percona Server for MongoDB supports the secure transfer of keys using Key Management Interoperability Protocol (KMIP). This allows users to store encryption keys in their favorite KMIP-compatible key manager when they set up encryption at rest.

    Two types of keys are used for data at rest encryption:

    • Database keys to encrypt data. They are stored internally, near the data that they encrypt.

    • The master key to encrypt database keys. It is kept separately from the data and database keys and requires external management.

    To manage the master key, use one of the supported key management options:

    • Integration with an external key server (recommended). Percona Server for MongoDB is integrated with HashiCorp Vault for this purpose and supports the secure transfer of keys using Key Management Interoperability Protocol (KMIP).

    • Local key management using a keyfile.

    Note that you can use only one of the key management options at a time. However, you can switch from one management option to another (e.g. from a keyfile to HashiCorp Vault). Refer to Migrating from Key File Encryption to HashiCorp Vault Encryption section for details.

    Important

    You can only enable data at rest encryption and provide all encryption settings on an empty database, when you start the mongod instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and / or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must be the same.

    Important configuration options¶

    Percona Server for MongoDB supports the encryptionCipherMode option where you choose one of the following cipher modes:

    • AES256-CBC

    • AES256-GCM

    By default, the AES256-CBC cipher mode is applied. The following example demonstrates how to apply the AES256-GCM cipher mode when starting the mongod service:

    $ mongod ... --encryptionCipherMode AES256-GCM
    

    See also

    MongoDB Documentation: encryptionCipherMode Option

    Encrypting rollback files¶

    Starting from version 3.6, Percona Server for MongoDB also encrypts rollback files when data at rest encryption is enabled. To inspect the contents of these files, use perconadecrypt. This is a tool that you run from the command line as follows:

    $ perconadecrypt --encryptionKeyFile FILE  --inputPath FILE --outputPath FILE [--encryptionCipherMode MODE]
    

    When decrypting, the cipher mode must match the cipher mode which was used for the encryption. By default, the --encryptionCipherMode option uses the AES256-CBC mode.

    Parameters of perconadecrypt¶

    Option Purpose
    –-encryptionKeyFile The path to the encryption key file
    --encryptionCipherMode The cipher mode for decryption. The supported values are AES256-CBC or AES256-GCM
    --inputPath The path to the encrypted rollback file
    --outputPath The path to save the decrypted rollback file

    Contact Us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.


    Last update: December 8, 2022
    Created: December 8, 2022
    Percona LLC and/or its affiliates, © 2023
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better.