MongoDB encryption at rest

Encryption at Rest – means, we need to encrypt our data that we want to store on disk. It can be achieved by following two forms.

Application level encryption

For application level encryption, it is not a feature offered by MongoDB, rather it can be achieved at Application layer. Application developer should use any encryption/decryption algorithm or library witch encrypt full document or few field(s) of a document and store it to database server disk. When it will retrieved by application, data will be decrypted at application end. Say for example if we need to store user bank account related information in our database then we can encrypt specific fields data and store/retrieve it from db when required.

##This is your data, and want to encrypt only payment field
    userAge: 28,
    affiliation: "none",
        {bank:"bankName", acNo:"XXXX", amount:NumberLong(500.0000)}
##It can be encrypt at application layer and store to db like this
    userAge: 28,
    affiliation: "none",

Storage level encryption

This type of encryption is only available in MongoDB Enterprise edition with WiredTiger storage engine.

MongoDB encryption diagram

Data first lives in RAM in unencrypted form, when MongoDB wants to store the information at disk, first it will encrypt the info in RAM first then store it on Disk. Encryption is following few steps.

  • First a master key will be generated. This key will be include in each database key.
  • Generate a key for each database.
  • After a database key generation, it will be encryption key for each database.
  • After all database will encrypted with their respective keys, each keys then encrypted by Master Key.
MongoDB WiredTiger Encryption prcess

Note : Each database key remain in MongoDB but Master Key will be remain outside of Mongodb.

MongoDB required external management for master key, we have two option for external key management.

  • KMIP (Key Management Interoperability Protocol) Recommended
  • Local Key Management.

Now I am using the second method to demonstrate easily how encryption works in MongoDB, I am using here Ubuntu to make first keyfile.

##After login with mongodb username in ubuntu
>openssl rand -base64 32 > mongodb-keyfile
>chmod 600 mongodb-keyfile

Now the encryption key is stored in the same box where MongoDB actually deployed. Using configuration file we are adding few parameter to start mongod process with Encryption Enabled.

## You just need to add this few lies to your mongodb configuration file to enable local key managed encryption.

  authorization: enabled
  enableEncryption: true
  encryptionKeyFile: 'mongodb-keyfile'

## encryptionKeyFile -> your keyfile path

Now you can start mongod process, it will keep your data encrypted, but mind it the key currently inside the same VM where mongodb deployed. I am also configured KMIP for external key management set up by pyKMIP offer by python language, I will share you in another article very soon.