WiredTiger Encryption At Rest With Percona Server For MongoDB
Rene Thivierge
Data at rest encryption for the WiredTiger storage engine in MongoDB wasintroduced in MongoDB Enterprise version 3.2 to ensure that encrypted datafiles can be decrypted and read by parties with the decryption key.
The data encryption at rest in Percona Server for MongoDB is introduced in version 3.6 to be compatible with data encryption at rest interface in MongoDB. In the current release of Percona Server for MongoDB, the data encryption at rest does not include support for Amazon AWS key management service. Instead, Percona Server for MongoDB is integrated with HashiCorp Vault.
Starting with release 5.0.7-6, Percona Server for MongoDB supports the secure transfer of keys using Key Management Interoperability Protocol (KMIP). This allows users to store encryption keys in their favorite KMIP-compatible key manager when they set up encryption at rest.
You can only enable data at rest encryption and provide all encryption settings on an empty database, when you start the mongod instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and / or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must be the same.
Starting from version 3.6, Percona Server for MongoDB also encrypts rollback files when data at rest encryption is enabled. To inspect the contents of these files, use perconadecrypt. This is a tool that you run from the command line as follows:
I am running a 3 member replica set of Percona MongoDB server, deployed by the Percona Kubernetes Operator. I have encryption at rest enabled. I have verified in the MongoDB logs that it is enabled, by checking for the line percona_encryption_extension_init as per WiredTiger Encryption at Rest with Percona Server for MongoDB - Percona Database Performance Blog.
In addition, I am using Percona backup manager, to store backups inside remote s3 storage. If I completely delete my Kubernetes cluster, and create a new cluster, which generates for itself a new mongodb encryption key, I am able to restore my previous backup from my remote storage.
Data at rest encryption for the WiredTiger storage engine in MongoDB wasintroduced in MongoDB Enterprise version 3.2. to ensure that encrypted datafiles can be decrypted and read by parties with the decryption key.
The data encryption at rest in Percona Server for MongoDB is introduced in version 3.6 to be compatible withdata encryption at rest in MongoDB. In the current release of Percona Server for MongoDB, the data encryption at rest doesnot include support for KMIP, or Amazon AWS key managementservices. Instead, Percona Server for MongoDB is integrated with HashiCorp Vault for key management services.
Starting from version 3.6, Percona Server for MongoDB also encrypts rollback files when data atrest encryption is enabled. To inspect the contents of these files, useperconadecrypt. This is a tool that you run from the command line as follows:
I used what you described (db.serverCmdLineOpts(), db.collection.stats()) to verify that mongo was instructed to encrypt the DB.
I run it in a docker container, so to do the practical test, I generated a new key file (originally ran the container with --encryptionKeyFile [FILE]), and replaced the old file with it.
mongo refused to start, citing:
There are some useful posts on MongoDB replication on the Percona blog if this approach is an option -anatomy-of-a-mongodb-replica-set/ and also an extended answer to the OP on the forum -discussions/percona-server-for-mongodb/52876-enabling-encryption-at-rest-in-percona-server-for-mongodb-3-6-8
The data encryption at rest in Percona Server for MongoDB is introduced in version 3.6 to be compatible withdata encryption at rest interface in MongoDB. In the current release of Percona Server for MongoDB, the data encryption at rest doesnot include support for KMIP, or Amazon AWS key managementservices. Instead, Percona Server for MongoDB is integrated with HashiCorp Vault for key management services.
Percona Server for MongoDB now provides WiredTiger encryption at rest with Percona Server for MongoDB 3.6.8-2.0 in BETA, and it is free to use. This useful feature applies encryption to only the MongoDB data, rather than full storage encryption. More importantly, it requires very minimal steps and is easy to implement when starting the DB. This is available only for the WiredTiger engine now, and can encrypt the data with the local key management via a keyfile. We expect that future releases will support third-party key management and vaults.
Positive: Fast data processing, backup of the running server without any performance degradation .
can easily deploy on public cloud & on-premises, multi-language & OS compatibility
Data at rest encryption and Hashicorp Vault integration.