Local key management using a keyfile¶
The key file must contain a 32 character string encoded in base64. You can generate a random
key and save it to a file by using the
$ openssl rand -base64 32 > mongodb-keyfile
Then, as the owner of the
mongod process, update the file permissions: only
the owner should be able to read and modify this file. The effective permissions
specified with the
chmod command can be:
- 600 - only the owner may read and modify the file
- 400 - only the owner may read the file.
$ chmod 600 mongodb-keyfile
Enable the data encryption at rest in Percona Server for MongoDB by setting these options:
--enableEncryptionto enable data at rest encryption
--encryptionKeyFileto specify the path to a file that contains the encryption key
$ mongod ... --enableEncryption --encryptionKeyFile <fileName>
By default, Percona Server for MongoDB uses the
AES256-CBC cipher mode. If you want to use the
AES256-GCM cipher mode, then use the
--encryptionCipherMode parameter to change it.
mongod is started with the
--relaxPermChecks option and the key file
is owned by
mongod can read the file based on the
group bit set accordingly. The effective key file permissions in this
- 440 - both the owner and the group can only read the file, or
- 640 - only the owner can read and the change the file, the group can only read the file.
All these options can be specified in the configuration file:
security: enableEncryption: <boolean> encryptionCipherMode: <string> encryptionKeyFile: <string> relaxPermChecks: <boolean>
Get expert help¶
If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services.
Created: December 7, 2022