Configure database encryption in MongoDB

3min

This section discusses server configuration to support encryption-at-rest in MongoDB. MongoDB Enterprise 3.2 introduces a native encryption option for the WiredTiger storage engine.
Secure management of the encryption keys is a critical requirement for storage encryption. MongoDB uses a master key that is not stored with the MongoDB installation. Only the master key is externally managed; you can store other keys with your MongoDB instance.
The MongoDB encrypted storage engine supports the following key management options for the master key:
Use of local key management by using a key file.
Recommended Integration with a third-party key management appliance (such as ) through the Key Management Interoperability Protocol (KMIP). 
MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data. If your MongoDB installation already has data, see Encrypt Existing Data at Rest for additional steps.

Change in version 4.0: MongoDB Enterprise on Windows no longer supports AES256-GCM. This cipher is now available only on Linux.
Start the MongoDB server and enable encryption by generating a new key on the  through KMIP
1
Create the directory /data/db to store the data directory files.
Text
sudo mkdir -p /data/db/
sudo mkdir -p /data/db/
﻿
2
Set the current user as the owner of the /data/db directory.
Text
sudo chown -R $USER:$USER /data/db
sudo chown -R $USER:$USER /data/db
﻿
3
Remove the MongoDB .sock file from the /tmp directory if one exists.
Text
sudo rm /tmp/mongodb-27017.sock
sudo rm /tmp/mongodb-27017.sock
﻿
4
Create a new master key on the , which mongod uses to encrypt the keys mongod generates for each database.
Text
mongod --dbpath /data/db --enableEncryption --kmipServerName <CryptoHub-IP> --kmipPort 5696 --kmipServerCAFile ca-chain.pem --kmipClientCertificateFile mongodb-cert-and-privatekey.pem --port 27018
mongod --dbpath /data/db --enableEncryption --kmipServerName <CryptoHub-IP> --kmipPort 5696 --kmipServerCAFile ca-chain.pem --kmipClientCertificateFile mongodb-cert-and-privatekey.pem --port 27018
﻿
The file you specify in the --kmipClientCertificateFile flag must contain both the signed MongoDB certificate and its associated private key.
5
When connecting to the KMIP server, the mongod verifies that the specified --kmipServerName matches the Subject Alternative Name (or, if SAN is not present, the Common Name) in the certificate presented by the KMIP server. If SAN is present, mongod does not match against the CN. If the hostname does not match the SAN (or CN), mongod fails to connect.
Check the log file to verify that the key creation and usage succeeded. 
If successful, the process logs the following messages:
Text
[initandlisten] Created KMIP key with id: <UID>
[initandlisten] Encryption key manager initialized using master key with id: <UID>
[initandlisten] Created KMIP key with id: <UID>
[initandlisten] Encryption key manager initialized using master key with id: <UID>
﻿
﻿
﻿
﻿
﻿
﻿
﻿

Updated 10 Dec 2024

Did this page help you?

Extract and combine client certificate and private key from PKCS12 into one file

MySQL Enterprise TDE