Local key management using a keyfile¶
The key file must contain a 32 character string encoded in base64. You can generate a random
key and save it to a file by using the openssl command:
$ openssl rand -base64 32 > mongodb-keyfile
Then, as the owner of the mongod process, update the file permissions: only
the owner should be able to read and modify this file. The effective permissions
specified with the chmod command can be:
- 600 - only the owner may read and modify the file
- 400 - only the owner may read the file.
$ chmod 600 mongodb-keyfile
Enable the data encryption at rest in Percona Server for MongoDB by setting these options:
-
--enableEncryptionto enable data at rest encryption -
--encryptionKeyFileto specify the path to a file that contains the encryption key
$ mongod ... --enableEncryption --encryptionKeyFile <fileName>
By default, Percona Server for MongoDB uses the AES256-CBC cipher mode. If you want to use the AES256-GCM cipher mode, then use the --encryptionCipherMode parameter to change it.
If mongod is started with the --relaxPermChecks option and the key file
is owned by root, then mongod can read the file based on the
group bit set accordingly. The effective key file permissions in this
case are:
- 440 - both the owner and the group can only read the file, or
- 640 - only the owner can read and the change the file, the group can only read the file.
All these options can be specified in the configuration file:
security:
enableEncryption: <boolean>
encryptionCipherMode: <string>
encryptionKeyFile: <string>
relaxPermChecks: <boolean>
Get expert help¶
If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services.