Encypting data at rest
368 views
Skip to first unread message
Nelson Évora
Apr 18, 2017, 7:45:39 PM4/18/17
to mongodb-user
i've been wanting to benchmark encryption at mongodb but i'm having and issue while starting mongo
i've followed the instruction below, created a keyfile and started mongo using that keyfile:
https://docs.mongodb.com/manual/tutorial/configure-encryption/#local-key-management
but then i get the following error when i start mongo using " mongod --enableEncryption --encryptionKeyFile mongodb-keyfile ":
2017-04-18T17:59:12.627+0100 I CONTROL [initandlisten] MongoDB starting : pid=2719 port=27017 dbpath=/data/db 64-bit host=machine
2017-04-18T17:59:12.627+0100 I CONTROL [initandlisten] db version v3.4.3
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] git version: f07437fb5a6cca07c10bafa78365456eb1d6d5e1
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.2g 1 Mar 2016
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] allocator: tcmalloc
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] modules: enterprise
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] build environment:
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] distmod: ubuntu1604
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] distarch: x86_64
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] target_arch: x86_64
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] options: { security: { enableEncryption: true, encryptionKeyFile: "mongodb-keyfile" } }
2017-04-18T17:59:12.646+0100 I - [initandlisten] Detected data files in /data/db created by the 'wiredTiger' storage engine, so setting the active storage engine to 'wiredTiger'.
2017-04-18T17:59:12.646+0100 I STORAGE [initandlisten]
2017-04-18T17:59:12.646+0100 I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2017-04-18T17:59:12.646+0100 I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem
2017-04-18T17:59:12.646+0100 I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=3422M,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),encryption=(name=AES256-CBC,keyid=".system"),extensions=[local={entry=mongo_addWiredTigerEncryptors,early_load=true},,],
2017-04-18T17:59:12.650+0100 E STORAGE [initandlisten] Unable to retrieve key .system, error: There are existing data files, but no valid keystore could be located.
2017-04-18T17:59:12.651+0100 I - [initandlisten] Fatal Assertion 28561 at src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp 264
2017-04-18T17:59:12.651+0100 I - [initandlisten]
***aborting after fassert() failure
Any clue what the error might be ?? im fairly new to mongo and encryption so i might be missing something obvious
i've followed the instruction below, created a keyfile and started mongo using that keyfile:
https://docs.mongodb.com/manual/tutorial/configure-encryption/#local-key-management
but then i get the following error when i start mongo using " mongod --enableEncryption --encryptionKeyFile mongodb-keyfile ":
2017-04-18T17:59:12.627+0100 I CONTROL [initandlisten] MongoDB starting : pid=2719 port=27017 dbpath=/data/db 64-bit host=machine
2017-04-18T17:59:12.627+0100 I CONTROL [initandlisten] db version v3.4.3
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] git version: f07437fb5a6cca07c10bafa78365456eb1d6d5e1
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.2g 1 Mar 2016
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] allocator: tcmalloc
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] modules: enterprise
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] build environment:
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] distmod: ubuntu1604
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] distarch: x86_64
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] target_arch: x86_64
2017-04-18T17:59:12.628+0100 I CONTROL [initandlisten] options: { security: { enableEncryption: true, encryptionKeyFile: "mongodb-keyfile" } }
2017-04-18T17:59:12.646+0100 I - [initandlisten] Detected data files in /data/db created by the 'wiredTiger' storage engine, so setting the active storage engine to 'wiredTiger'.
2017-04-18T17:59:12.646+0100 I STORAGE [initandlisten]
2017-04-18T17:59:12.646+0100 I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2017-04-18T17:59:12.646+0100 I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem
2017-04-18T17:59:12.646+0100 I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=3422M,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),encryption=(name=AES256-CBC,keyid=".system"),extensions=[local={entry=mongo_addWiredTigerEncryptors,early_load=true},,],
2017-04-18T17:59:12.650+0100 E STORAGE [initandlisten] Unable to retrieve key .system, error: There are existing data files, but no valid keystore could be located.
2017-04-18T17:59:12.651+0100 I - [initandlisten] Fatal Assertion 28561 at src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp 264
2017-04-18T17:59:12.651+0100 I - [initandlisten]
***aborting after fassert() failure
Any clue what the error might be ?? im fairly new to mongo and encryption so i might be missing something obvious
compchap.nikhil
Apr 27, 2017, 4:25:06 PM4/27/17
to mongodb-user
Hi Nelson
The error clearly states that the data files are present in the db path without any key store. This translates to how it works with mongodb - you can only have encryption enabled in blank data directory. You can achieve this by taking the backup, stopping the mongod instance, clearing the data directory, restarting by enabling encryption and then restore from backup. Hope this helps!
Thanks,
Nikhil
Reply all
Reply to author
Forward
0 new messages