Skip to content
Percona Software for MongoDB Documentation

Migrate from key file encryption to HashiCorp Vault encryption

The steps below describe how to migrate from the key file encryption to using HashiCorp Vault.

Note

This is a simple guideline and it should be used for testing purposes only. We recommend to contact Percona Consulting Services to assist you with migration in production environment.

Assumptions

We assume that you have installed and configured the vault server and enabled the KV Secrets Engine as the secrets storage for it.

  1. Stop mongod.

    $ sudo systemctl stop mongod

  2. Insert the key from keyfile into the HashiCorp Vault server to the desired secret path.

  3. Retrieve the key value from the keyfile

    $ sudo cat /data/key/mongodb.key
d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw=

  4. Insert the key into vault

    $ vault kv put secret/dc/psmongodb1 value=d0JTFcePmvROyLXwCbAH8fmiP/ZRm0nYbeJDMGaI7Zw=

    !!! note 

     Vault KV Secrets Engine uses different read and write secrets paths. To insert data to Vault, specify the secret path without the `data/` prefix.

  5. Edit the configuration file to provision the HashiCorp Vault configuration options instead of the key file encryption options.

    security:
   enableEncryption: true
   vault:
      serverName: 10.0.2.15
      port: 8200
      secret: secret/data/dc/psmongodb1
      tokenFile: /etc/mongodb/token
      serverCAFile: /etc/mongodb/vault.crt

  6. Start the mongod service

    $ sudo systemctl start mongod

Get expert help

If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services.

Community Forum Get a Percona Expert Join Percona Squad