dasbotask.com

MongoDB encryption at rest

by

Kaushik Das
in ,

Encryption at Rest – means, we need to encrypt our data that we want to store on disk. It can be achieved by following two forms.

Application level encryption

For application level encryption, it is not a feature offered by MongoDB, rather it can be achieved at Application layer. Application developer should use any encryption/decryption algorithm or library witch encrypt full document or few field(s) of a document and store it to database server disk. When it will retrieved by application, data will be decrypted at application end. Say for example if we need to store user bank account related information in our database then we can encrypt specific fields data and store/retrieve it from db when required.

##This is your data, and want to encrypt only payment field
{
    userAge: 28,
    affiliation: "none",
    payment:[
        {bank:"bankName", acNo:"XXXX", amount:NumberLong(500.0000)}
    ]
}
##It can be encrypt at application layer and store to db like this
{
    userAge: 28,
    affiliation: "none",
    payment:[
        "5sda#ji68kh..."
    ]
}

Storage level encryption

This type of encryption is only available in MongoDB Enterprise edition with WiredTiger storage engine.

MongoDB encryption diagram

Data first lives in RAM in unencrypted form, when MongoDB wants to store the information at disk, first it will encrypt the info in RAM first then store it on Disk. Encryption is following few steps.

  • First a master key will be generated. This key will be include in each database key.
  • Generate a key for each database.
  • After a database key generation, it will be encryption key for each database.
  • After all database will encrypted with their respective keys, each keys then encrypted by Master Key.
MongoDB WiredTiger Encryption prcess

Note : Each database key remain in MongoDB but Master Key will be remain outside of Mongodb.

MongoDB required external management for master key, we have two option for external key management.

  • KMIP (Key Management Interoperability Protocol) Recommended
  • Local Key Management.

Now I am using the second method to demonstrate easily how encryption works in MongoDB, I am using here Ubuntu to make first keyfile.

##After login with mongodb username in ubuntu
>openssl rand -base64 32 > mongodb-keyfile
>chmod 600 mongodb-keyfile

Now the encryption key is stored in the same box where MongoDB actually deployed. Using configuration file we are adding few parameter to start mongod process with Encryption Enabled. 

## You just need to add this few lies to your mongodb configuration file to enable local key managed encryption.

security:
  authorization: enabled
  enableEncryption: true
  encryptionKeyFile: 'mongodb-keyfile'

## encryptionKeyFile -> your keyfile path

Now you can start mongod process, it will keep your data encrypted, but mind it the key currently inside the same VM where mongodb deployed. I am also configured KMIP for external key management set up by pyKMIP offer by python language, I will share you in another article very soon.

Related Topics

MongoDB Enterprise Edition

Does it free? MongoDB Enterprise is free of charge for an unlimited period of time for evaluation and development. By downloading it, you agree to the Subscription Agreement. Comparison between MongoDB Community and Enterprise Edition FeaturesMongoDB CommunityMongoDB EnterpriseLDAP AuthenticationNot AvailableAvailableLDAP AuthorizationNot Continue readingMongoDB Enterprise Edition

Linux directory structure, user, group, permission, ownership etc.

Before starting any mongodb administration job, we need to know very well about the system, where MongoDB is going to deploy. For this article I choose very common linux OS Ubuntu. Target readers should not be only for mongodb dba, Continue readingLinux directory structure, user, group, permission, ownership etc.

MongoDB query optimization

Often we saw that after making individual machine better (Scale up) or distributed the data into shards (Scale Out) or making all read queries route to secondary replica set, yet the queries are not performing well and getting the bottleneck. Continue readingMongoDB query optimization

MongoDB 4.4 new features

This version of MongoDB has some path breaking features, few are badly required and most of them has given for enhancement of its features. There are many features, but I am talking about in this article which is more important Continue readingMongoDB 4.4 new features

MongoDB auto increment field

This article for those who just jump into MongoDB ocean from RDBMS world. First of all, I can tell you do not start finding stuff which usually support by RDBMS into MongoDB. When you decided to start learning MongoDB then Continue readingMongoDB auto increment field

Comments

Suggestions