> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure database encryption in MongoDB

> Step-by-step guide to enable encryption-at-rest in MongoDB using WiredTiger with CryptoHub.

This section discusses server configuration to support encryption-at-rest in MongoDB. MongoDB Enterprise 3.2 introduces a native encryption option for the WiredTiger storage engine.

Secure management of the encryption keys is a critical requirement for storage encryption. MongoDB uses a master key that is not stored with the MongoDB installation. Only the master key is externally managed; you can store other keys with your MongoDB instance.

The MongoDB encrypted storage engine supports the following key management options for the master key:

* Use of local key management by using a key file.
* **Recommended** Integration with a third-party key management appliance (such as CryptoHub) through the Key Management Interoperability Protocol (KMIP).

<Warning>
  MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data. If your MongoDB installation already has data, see

  [Encrypt Existing Data at Rest](https://www.mongodb.com/docs/manual/tutorial/configure-encryption/#std-label-encrypt-existing-data) for additional steps.
</Warning>

<Note>
  Change in version 4.0: MongoDB Enterprise on Windows no longer supports AES256-GCM. This cipher is now available only on Linux.
</Note>

## Start the server and enable encryption

Perform the following steps to start the MongoDB server and enable encryption by generating a new key on the CryptoHub through KMIP:

<Steps>
  <Step>
    Create the directory `/data/db` to store the data directory files.

    ```text expandable lines wrap title="Text" theme={null}
    sudo mkdir -p /data/db/
    ```
  </Step>

  <Step>
    Set the current user as the owner of the `/data/db` directory.

    ```text expandable lines wrap title="Text" theme={null}
    sudo chown -R $USER:$USER /data/db
    ```
  </Step>

  <Step>
    Remove the MongoDB `.sock` file from the `/tmp` directory if one exists.

    ```text expandable lines wrap title="Text" theme={null}
    sudo rm /tmp/mongodb-27017.sock
    ```
  </Step>

  <Step>
    Create a new master key on the CryptoHub, which**mongod** uses to encrypt the keys **mongod** generates for each database.

    ```text expandable lines wrap title="Text" theme={null}
    mongod --dbpath /data/db --enableEncryption --kmipServerName <CryptoHub-IP> --kmipPort 5696 --kmipServerCAFile ca-chain.pem --kmipClientCertificateFile mongodb-cert-and-privatekey.pem --port 27018
    ```

    <Note>
      The file you specify in the `--kmipClientCertificateFile` flag must contain both the signed MongoDB certificate and its associated private key.
    </Note>
  </Step>

  <Step>
    When connecting to the KMIP server, the **mongod** verifies that the specified
    **--kmipServerName** matches the **Subject Alternative Name** (or, if SAN is not present, the **Common Name**) in the certificate presented by the KMIP server. If SAN is present, **mongod** does not match against the **CN**. If the hostname does not match the SAN (or CN), **mongod** fails to connect.

    Check the log file to verify that the key creation and usage succeeded.

    <Check>
      If successful, the process logs the following messages:

      ```none expandable lines wrap title="None" theme={null}
      [initandlisten] Created KMIP key with id: <UID>
      [initandlisten] Encryption key manager initialized using master key with id: <UID>
      ```
    </Check>
  </Step>
</Steps>
