Configure encryption in MongoDB

this section discusses server configuration to support encryption at rest in mongodb mongodb enterprise 3 2 introduces a native encryption option for the wiredtiger storage engine secure management of the encryption keys is a critical requirement for storage encryption mongodb uses a master key that is not stored with the mongodb installation only the master key is externally managed, and you can store other keys with your mongodb instance the mongodb encrypted storage engine supports two key management options for the master key use of local key management through a key file integration with a third party key management appliance (such as the {{k3}} ) through the key management interoperability protocol (kmip) recommended mongodb cannot encrypt existing data when you enable encryption with a new key, the mongodb instance cannot have any pre existing data if your mongodb installation already has existing data, see encrypt existing data at rest for additional steps changed in version 4 0 mongodb enterprise on windows no longer supports aes256 gcm this cipher is now available only on linux the following sections cover integration with either a new key or an existing key integrate by using a new key to integrate by using a new key, perform the following instructions to enable encryption and confirm the master key on the {{k}} start the mongodb server and enable encryption perform the following steps to start the mongodb server and enable encryption by generating a new key on the {{k}} through kmip run the following command to create the directory /data/db to store the data directory files sudo mkdir p /data/db/ run the following command to set the current user as the owner of the /data/db directory sudo chown r $user $user /data/db run the following command to remove the mongodb sock file from the /tmp directory if one exists sudo rm /tmp/mongodb 27017 sock run the following command to create a new master key on the {{k3}} , which mongod uses to encrypt the keys mongod generates for each database mongod dbpath /data/db enableencryption kmipservername \<kmes ip> kmipport 5696 kmipservercafile root ca cert pem kmipclientcertificatefile mongodb cert and privatekey pem port 27018 the file you specify in the kmipclientcertificatefile flag must contain both the signed mongodb certificate and its associated private key when connecting to the kmip server, mongod verifies that the specified kmipservername matches the subject alternative name (san) (or, if san is not present, the common name (cn)) in the certificate presented by the kmip server if san is present, mongod does not match against the cn if the hostname does not match the san (or cn), mongod fails to connect to verify that the key creation and usage succeeded, check the log file if successful, the process logs the following messages \[initandlisten] created kmip key with id \<uid> \[initandlisten] encryption key manager initialized using master key with id \<uid> view the master key mongodb created on the {{k}} log in to the {{k3}} application interface with the default admin identities go to key management > keys select the default key group to view the aes 256 key that mongodb created through kmip integrate using an existing key to integrate by using an existing key, perform the following instructions to generate a master key and enable encryption generate a key perform the following steps to generate a key on the {{k}} for mongodb to use as its master key log in to the {{k3}} application interface with the default admin identities go to key management > keys select \[ create ] in the key groups section select symmetric as the key type and hsm protected for the storage location in the hsm protected key group window, specify a name for the key group in the service drop down menu, select key management interoperability protocol change the key length to aes 256 and select \[ ok ] select the key group you just created and, in the keys section, select \[ create ] and select \[ random ] specify a name for the key and select \[ ok ] start the mongodb server and enable encryption perform the following steps to start the mongodb server and enable encryption by using the existing key on the {{k}} run the following command to create the directory /data/db to store the data directory files sudo mkdir p /data/db/ run the following command to set the current user as the owner of the /data/db directory sudo chown r $user $user /data/db run the following command to remove the mongodb sock file from the /tmp directory if one exists sudo rm /tmp/mongodb 27017 sock run the following command to start mongodb by using the existing key on the kmes series 3, which mongod uses to encrypt the keys mongod generates for each database mongod dbpath /data/db enableencryption kmipservername \<kmes ip> kmipport 5696 kmipservercafile root ca cert pem kmipclientcertificatefile mongodb cert and privatekey pem port 27018 kmipkeyidentifier \<uid> the file you specify in the kmipclientcertificatefile flag must contain both the signed mongodb certificate and its associated private key the uid value you specify in the kmipkeyidentifier flag needs to be the name of the key that was created on the kmes in the previous subsection when connecting to the kmip server, mongod verifies that the specified kmipservername matches the subject alternative name (san) (or, if san is not present, the common name (cn)) in the certificate presented by the kmip server if san is present, mongod does not match against the cn if the hostname does not match the san (or cn), mongod fails to connect to verify that the key usage succeeds, check the log file if successful, the process logs the following message \[initandlisten] encryption key manager initialized using master key with id \<uid>