Skip to content
Percona Software for MongoDB Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Use OpenBao for data-at-rest encryption

OpenBao is an open-source alternative to HashiCorp Vault. Percona Server for MongoDB is integrated with OpenBao for encryption key management and supports only OpenBao back end with KV Secrets Engine - Version 2 (API) with versioning enabled.

Assumptions

  1. We assume that you have OpenBao up and running. Refer to OpenBao documentation for installation instructions.
  2. For secure communication with OpenBao, it’s recommended to use TLS.
  3. You have an empty Percona Server for MongoDB deployment.

OpenBao setup

OpenBao setup is similar to that of HashiCorp Vault. It consists of the following steps:

  1. Initialize OpenBao server. As a result, OpenBao generates the root token and the unseal key.

    $ bao operator init

  2. OpenBao is started in a sealed state. In this state OpenBao can access the storage but it cannot decrypt data. In order to use OpenBao, you need to unseal it using the unseal key.

    $ bao operator unseal <your-unseal-key>

  3. Next, authenticate in OpenBao using the root token.

    $ bao login <root-token>

  4. Enable the KV Secrets Engine – Version 2. By default, the secrets engine is enabled at the secrets/ path. You can specify your own path using the -path flag

    $ bao secrets enable --version=2 -path=secret kv

  5. Create the access policy and grant Percona Server for MongoDB read permissions for the secret’s metadata and the secrets engine configuration. Percona Server needs it to check the number of secrets on the OpenBao before it generates a new key.

  6. Create an access policy file:

    $ cat <<EOF > psmdb-access.hcl
path "secret/data/*" {
  capabilities = ["create","read","update","delete"]
}
path "secret/metadata/*" {
  capabilities = ["read"]
}
path "secret/config" {
  capabilities = ["read"]
}
EOF

  7. Upload the access policy to OpenBao:

    $ bao policy write psmdb-policy psmdb-access.hcl

  8. Create an access token that Percona Server for MongoDB will use. You need to create an access token for every instance of Percona Server for MongoDB in your deployment.

    $ bao token create -policy=psmdb-policy

  9. Export an access token to a file and restrict access to it for mongod user:

    $ sudo mkdir -p /etc/openbao
    • Export the token into the token file. For TLS communication, copy the .crt file from OpenBao.
    $ echo "your-access-token-here" > /etc/openbao/token
    • Restrict access to the token and certificate files for the mongod user:
    $ sudo chmod 400 -p /etc/openbao/token
$ sudo chown mongod:mongod /etc/openbao/token

See also

To learn more about OpenBao configuration, see the following resources:

Percona Server for MongoDB configuration

Percona Server for MongoDB configuration for OpenBao is the same as for HashCorp Vault. Refer to the HashiCorp Vault parameters for the description of available configuration options.

To enable data-at-rest encryption in Percona Server for MongoDB, you need the following information:

  • OpenBao URL and port
  • OpenBao secrets engine mount path
  • Path to the access token

  1. Edit the /etc/mongod.conf configuration file and specify the following configuration: 

    security:
  enableEncryption: true
  vault:
    serverName: 127.0.0.1
    port: 8200
    tokenFile: /etc/openbao/token
    secret: secret/data/

  2. Start Percona Server for MongoDB:

    $ sudo systemctl start

Start Percona Server for MongoDB with the following parameters:

$ mongod --enableEncryption --vaultServerName 127.0.0.1 --vaultPort 8200 --vaultTokenFile /etc/openbao/token --vaultSecret secret/data/ --vaultDisableTLSForTesting