Skip to content
logo
Percona Server for MongoDB 5.0
Migrating from key file encryption to HashiCorp Vault encryption
Initializing search
    percona/psmdb-docs
    percona/psmdb-docs
    • Home
    • Percona Server for MongoDB feature comparison
      • Overview
      • Installing Percona Server for MongoDB on Debian and Ubuntu
      • Installing Percona Server for MongoDB on Red Hat Enterprise Linux and CentOS
      • Installing Percona Server for MongoDB from binary tarball
      • Running Percona Server for MongoDB in a Docker Container
        • Percona Memory Engine
        • Hot Backup
        • $backupCursor and $backupCursorExtend aggregation stages
        • Authentication overview
        • Enable SCRAM authentication
        • Set up LDAP authentication with SASL
        • Set up x.509 authentication and LDAP authorization
        • Set up Kerberos authentication
        • AWS IAM authentication
        • Setting up AWS IAM authentication
        • LDAP authorization
        • Set up LDAP authentication and authorization using NativeLDAP
        • Data at rest encryption
        • HashiCorp Vault integration
        • Using the Key Management Interoperability Protocol (KMIP)
        • Local key management using a keyfile
        • Migrating from key file encryption to HashiCorp Vault encryption
          • Assumptions
      • Auditing
      • Profiling Rate Limit
      • Log Redaction
      • Additional text search algorithm - ngram
      • Tune parameters
        • Upgrade from 4.4 to 5.0
        • Upgrading Percona Server for MongoDB
      • Uninstall Percona Server for MongoDB
      • Percona Server for MongoDB 5.0 Release Notes
      • Percona Server for MongoDB 5.0.15-13 (2023-03-16)
      • Percona Server for MongoDB 5.0.14-12 (2022-12-08)
      • Percona Server for MongoDB 5.0.13-11 (2022-10-12)
      • Percona Server for MongoDB 5.0.11-10 (2022-09-01)
      • Percona Server for MongoDB 5.0.10-9 (2022-08-09)
      • Percona Server for MongoDB 5.0.9-8 (2022-06-20)
      • Percona Server for MongoDB 5.0.8-7 (2022-05-10)
      • Percona Server for MongoDB 5.0.7-6 (2022-04-20)
      • Percona Server for MongoDB 5.0.6-5 (2022-02-10)
      • Percona Server for MongoDB 5.0.5-4 (2021-12-28)
      • Percona Server for MongoDB 5.0.4-3 (Release Candidate) (2021-12-08)
      • Percona Server for MongoDB 5.0.3-2 (Release Candidate) (2021-10-14)
      • Percona Server for MongoDB 5.0.2-1 (Release Candidate) (2021-08-16)
    • Glossary
    • Copyright and licensing information
    • Trademark policy

    • Assumptions

    Migrating from key file encryption to HashiCorp Vault encryption¶

    The steps below describe how to migrate from the key file encryption to using HashiCorp Vault.

    Note

    This is a simple guideline and it should be used for testing purposes only. We recommend to use Percona Consulting Services to assist you with migration in production environment.

    Assumptions¶

    We assume that you have installed and configured the vault server and enabled the KV Secrets Engine as the secrets storage for it.

    1. Stop mongod.

      $ sudo systemctl stop mongod
      
    2. Insert the key from keyfile into the HashiCorp Vault server to the desired secret path.

      • Retrieve the key value from the keyfile

        $ sudo cat /data/key/mongodb.key
        d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw=
        
      • Insert the key into vault

      $ vault kv put secret/dc/psmongodb1 value=d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw=
      

      Note

      Vault KV Secrets Engine uses different read and write secrets paths. To insert data to vault, specify the secret path without the data/ prefix.

    3. Edit the configuration file to provision the HashiCorp Vault configuration options instead of the key file encryption options.

      security:
         enableEncryption: true
         vault:
            serverName: 10.0.2.15
            port: 8200
            secret: secret/data/dc/psmongodb1
            tokenFile: /etc/mongodb/token
            serverCAFile: /etc/mongodb/vault.crt
      
    4. Start the mongod service

      $ sudo systemctl start mongod
      

    Contact Us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.


    Last update: December 8, 2022
    Created: December 8, 2022
    Percona LLC and/or its affiliates, © 2023
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better.