Skip to main content
This section discusses server configuration to support encryption-at-rest in MongoDB. MongoDB Enterprise 3.2 introduces a native encryption option for the WiredTiger storage engine. Secure management of the encryption keys is a critical requirement for storage encryption. MongoDB uses a master key that is not stored with the MongoDB installation. Only the master key is externally managed; you can store other keys with your MongoDB instance. The MongoDB encrypted storage engine supports the following key management options for the master key:
  • Use of local key management by using a key file.
  • Recommended Integration with a third-party key management appliance (such as CryptoHub) through the Key Management Interoperability Protocol (KMIP).
MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data. If your MongoDB installation already has data, seeEncrypt Existing Data at Rest for additional steps.
Change in version 4.0: MongoDB Enterprise on Windows no longer supports AES256-GCM. This cipher is now available only on Linux.

Start the server and enable encryption

Perform the following steps to start the MongoDB server and enable encryption by generating a new key on the CryptoHub through KMIP:
1
Create the directory /data/db to store the data directory files.
Text
sudo mkdir -p /data/db/
2
Set the current user as the owner of the /data/db directory.
Text
sudo chown -R $USER:$USER /data/db
3
Remove the MongoDB .sock file from the /tmp directory if one exists.
Text
sudo rm /tmp/mongodb-27017.sock
4
Create a new master key on the CryptoHub, whichmongod uses to encrypt the keys mongod generates for each database.
Text
mongod --dbpath /data/db --enableEncryption --kmipServerName <CryptoHub-IP> --kmipPort 5696 --kmipServerCAFile ca-chain.pem --kmipClientCertificateFile mongodb-cert-and-privatekey.pem --port 27018
The file you specify in the --kmipClientCertificateFile flag must contain both the signed MongoDB certificate and its associated private key.
5
When connecting to the KMIP server, the mongod verifies that the specified —kmipServerName matches the Subject Alternative Name (or, if SAN is not present, the Common Name) in the certificate presented by the KMIP server. If SAN is present, mongod does not match against the CN. If the hostname does not match the SAN (or CN), mongod fails to connect.Check the log file to verify that the key creation and usage succeeded.
If successful, the process logs the following messages:
None
[initandlisten] Created KMIP key with id: <UID>
[initandlisten] Encryption key manager initialized using master key with id: <UID>