Configure database encryption in MongoDB

this section discusses server configuration to support encryption at rest in mongodb mongodb enterprise 3 2 introduces a native encryption option for the wiredtiger storage engine secure management of the encryption keys is a critical requirement for storage encryption mongodb uses a master key that is not stored with the mongodb installation only the master key is externally managed; you can store other keys with your mongodb instance the mongodb encrypted storage engine supports the following key management options for the master key use of local key management by using a key file recommended integration with a third party key management appliance (such as {{ch}} ) through the key management interoperability protocol (kmip) mongodb cannot encrypt existing data when you enable encryption with a new key, the mongodb instance cannot have any pre existing data if your mongodb installation already has data, see encrypt existing data at rest https //www mongodb com/docs/manual/tutorial/configure encryption/#std label encrypt existing data for additional steps change in version 4 0 mongodb enterprise on windows no longer supports aes256 gcm this cipher is now available only on linux start the server and enable encryption perform the following steps to start the mongodb server and enable encryption by generating a new key on the {{ch}} through kmip create the directory /data/db to store the data directory files sudo mkdir p /data/db/ set the current user as the owner of the /data/db directory sudo chown r $user $user /data/db remove the mongodb sock file from the /tmp directory if one exists sudo rm /tmp/mongodb 27017 sock create a new master key on the {{ch}} , which mongod uses to encrypt the keys mongod generates for each database mongod dbpath /data/db enableencryption kmipservername \<cryptohub ip> kmipport 5696 kmipservercafile ca chain pem kmipclientcertificatefile mongodb cert and privatekey pem port 27018 the file you specify in the kmipclientcertificatefile flag must contain both the signed mongodb certificate and its associated private key when connecting to the kmip server, the mongod verifies that the specified kmipservername matches the subject alternative name (or, if san is not present, the common name ) in the certificate presented by the kmip server if san is present, mongod does not match against the cn if the hostname does not match the san (or cn), mongod fails to connect check the log file to verify that the key creation and usage succeeded if successful, the process logs the following messages \[initandlisten] created kmip key with id \<uid> \[initandlisten] encryption key manager initialized using master key with id \<uid>