- Use of local key management through a key file.
- Integration with a third-party key management appliance (such as the KMES Series 3) through the Key Management Interoperability Protocol (KMIP). Recommended
Changed in version 4.0:MongoDB Enterprise on Windows no longer supports AES256-GCM. This cipher is now available only on Linux.
Integrate by using a new key
To integrate by using a new key, perform the following instructions to enable encryption and confirm the master key on the KMES.Start the MongoDB server and enable encryption
Perform the following steps to start the MongoDB server and enable encryption by generating a new key on the KMES through KMIP:Run the following command to remove the MongoDB
.sock file from the /tmp directory if one exists.Shell
Run the following command to create a new master key on the KMES Series 3, which the command (www.mongodb.com/docs/manual/reference/program/mongod/#mongodb-binary-bin.mongod) uses to encrypt the keys it generates for each database.
Shell
The file you specify in the —kmipClientCertificateFile flag must contain both the signed MongoDB certificate and its associated private key.
When connecting to the KMIP server, mongod verifies that the specified
--kmipServerName matches the Subject Alternative Name (SAN) (or, if SAN is not present, the Common Name (CN)) in the certificate presented by the KMIP server. If SAN is present, mongod does not match against the CN. If the hostname does not match the SAN (or CN), mongod fails to connect.To verify that the key creation and usage succeeded, check the log file. If successful, the process logs the following messages:Shell
View the master key MongoDB created on the KMES
Integrate using an existing key
To integrate by using an existing key, perform the following instructions to generate a master key and enable encryption.Generate a key
Perform the following steps to generate a key on the KMES for MongoDB to use as its master key:In the HSM Protected Key Group window, specify a name for the Key Group. In the Service drop-down menu, select Key Management Interoperability Protocol. Change the Key Length to AES-256 and select [ OK ].
Select the key group you just created and, in the Keys section, select [ Create ] and select [ Random ].
Start the MongoDB server and enable encryption
Perform the following steps to start the MongoDB server and enable encryption by using the existing key on the KMES:Run the following command to remove the MongoDB
.sock file from the /tmp directory if one exists:Shell
Run the following command to start MongoDB by using the existing key on the KMES Series 3, which the command (www.mongodb.com/docs/manual/reference/program/mongod/#mongodb-binary-bin.mongod) uses to encrypt the keys it generates for each database:
Shell
The file you specify in the
--kmipClientCertificateFile flag must contain both the signed MongoDB certificate and its associated private key.The UID value you specify in the --kmipKeyIdentifier flag needs to be the name of the key that was created on the KMES in the previous subsection.When connecting to the KMIP server,mongod verifies that the specified
--kmipServerName matches the Subject Alternative Name (SAN) (or, if SAN is not present, the Common Name (CN)) in the certificate presented by the KMIP server. If SAN is present, mongod does not match against the CN. If the hostname does not match the SAN (or CN), mongod fails to connect.To verify that the key usage succeeds, check the log file. If successful, the process logs the following message:Shell