Migrating from key file encryption to HashiCorp Vault encryption¶
The steps below describe how to migrate from the key file encryption to using HashiCorp Vault.
This is a simple guideline and it should be used for testing purposes only. We recommend to use Percona Consulting Services to assist you with migration in production environment.
We assume that you have installed and configured the vault server and enabled the KV Secrets Engine as the secrets storage for it.
$ sudo systemctl stop mongod
Insert the key from keyfile into the HashiCorp Vault server to the desired secret path.
Retrieve the key value from the keyfile
$ sudo cat /data/key/mongodb.key d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw=
Insert the key into vault
$ vault kv put secret/dc/psmongodb1 value=d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw=
Vault KV Secrets Engine uses different read and write secrets paths. To insert data to vault, specify the secret path without the
Edit the configuration file to provision the HashiCorp Vault configuration options instead of the key file encryption options.
security: enableEncryption: true vault: serverName: 10.0.2.15 port: 8200 secret: secret/data/dc/psmongodb1 tokenFile: /etc/mongodb/token serverCAFile: /etc/mongodb/vault.crt
$ sudo systemctl start mongod
For free technical help, visit the Percona Community Forum.
To report bugs or submit feature requests, open a JIRA ticket.
For paid support and managed or consulting services , contact Percona Sales.
Created: December 8, 2022