How to configure mongodb encryption at rest using local key ?

 

NOTE:

• As part of this demo, we are assuming that you have already installed Mongodb  Enterprise server, if not kindly check How to install Mongodb on Redhat\Centos Linux using Tarball .tgz?  to get it installed.

• Be aware the steps which is articulated in this article is intended to demonstrate how to quickly build a mongodb deployment with encryption at rest. It's always best to test in a non-production environment and this steps can't encrypt already existing data.

Introduction:

• In today's data-driven landscape, protecting sensitive information is vital for organizations of all sizes. When it comes to database security, encryption at rest plays a crucial role in ensuring the confidentiality and integrity of stored data.

• MongoDB, a popular NoSQL database, offers robust encryption at rest capabilities that allow you to safeguard your data against unauthorized access, even if the physical storage media is compromised.

• MongoDB provides the flexibility to manage encryption keys locally, allowing you to have granular control over the encryption process and secure your data at rest effectively.

• With local key management, you can generate and manage encryption keys within your MongoDB deployment, reducing reliance on external key management systems while maintaining the highest levels of security. 

• But its always recommended to use (KMIP). If you don't want to use KMIP or if there is some roadblock to adopt that atleast use this local key management for encrypting data at rest.

• This MongoDB encryption features is available only in Enterprise edition and one more things to note is MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data. 

• To enable encryption at rest for existing deployment you may need to convert standalone to replica and it requires one more node with additional steps. We will cover that in upcoming article.

• Its always better to keep the master key in securely accessible location and back it up to avoid any data losses.

Prerequisites:

    To complete this demo, we need a centos server installed with MongoDB enterprise edition.

Server name	IP Address	MongoDB Enterprise
mongodb2	192.168.1.201	4.4

Let's dive into the world of MongoDB encryption at rest with local key management and discover how you can secure your data on disk, mitigate risks, and ensure the confidentiality of your valuable information.

Step 1: Install MongoDB

• Ensure that MongoDB is installed on your server. If not, you can follow this to get it installed.

Step 2: Generate a Local Master Encryption Key using openssl

• To enable encryption at rest, we need to generate a local master key. Run the following command on your MongoDB server to generate a encryption key.

mkdir -p /home/mongod/mongo-secure
cd /home/mongod/mongo-secure
openssl rand -base64 32 >mongosecurekey

• This command generates a 32-byte random key string and stores it in the mongosecurekey file.

Step 3: Update File permission of key file

• We need to make sure to set proper permissions to restrict access to this file. If the file has world permission mongodb won't accept it and through error in log file.

chmod 600 mongosecurekey

Step 4: Configure MongoDB to enable encryption at rest

• Next, we need to configure MongoDB to enable encryption at rest.

•  Open the MongoDB configuration file using a text editor. The default location for the configuration file is /etc/mongod.conf. 

• Look for the security section and add the enableEncryption to true and keyfile location like below.

vi /etc/mongod.conf

systemLog:
   destination: file
   path: "/home/mongod/mongo_data/mongod.log"
   logAppend: true
storage:
   journal:
      enabled: true
storage:
   dbPath: /home/mongod/mongo_data
processManagement:
   fork: true
net:
   bindIp: 127.0.0.1,mongodb2
   port: 22001
security:
   authorization: enabled
security:
   enableEncryption: true
   encryptionKeyFile: "/home/mongod/mongo-secure/mongosecurekey"

Step 5: Start the mongod with config file

mongod -f mongod.conf

Step 6: Observe the mongodb log file and verify encryption

• If the configuration is successful, we could see the below message "msg":"Encryption key manager initialized" in mongodb log file.

{"t":{"$date":"2023-07-08T13:19:12.468+08:00"},"s":"I",  "c":"STORAGE",  "id":24039,   "ctx":"initandlisten","msg":"Encryption key manager initialized","attr":{"keyFile":"/home/mongod/mongo-secure/mongosecurekey"}}

• Check the cmdline options to verify the encryption 

db.adminCommand({ getCmdLineOpts: 1})

Step 7: Load some data and test the retreival

• Now we will load some data and test the retreival.

use yelp
db.business.insertMany([{"business_id":"Pns2l4eNsfO8kk83dixA6A","name":"Abby Rappoport, LAC, CMQ","address":"1616 Chapala St, Ste 2","city":"Santa Barbara","state":"CA","postal_code":"93101","latitude":34.4266787,"longitude":-119.7111968,"stars":5.0,"review_count":7,"is_open":0,"attributes":{"ByAppointmentOnly":"True"},"categories":"Doctors, Traditional Chinese Medicine, Naturopathic\/Holistic, Acupuncture, Health & Medical, Nutritionists","hours":null}
,{"business_id":"mpf3x-BjTdTEA3yCZrAYPw","name":"The UPS Store","address":"87 Grasso Plaza Shopping Center","city":"Affton","state":"MO","postal_code":"63123","latitude":38.551126,"longitude":-90.335695,"stars":3.0,"review_count":15,"is_open":1,"attributes":{"BusinessAcceptsCreditCards":"True"},"categories":"Shipping Centers, Local Services, Notaries, Mailbox Centers, Printing Services","hours":{"Monday":"0:0-0:0","Tuesday":"8:0-18:30","Wednesday":"8:0-18:30","Thursday":"8:0-18:30","Friday":"8:0-18:30","Saturday":"8:0-14:0"}}])

• Check the encryption stats of newly created collection. We could see the encryption key id and algorithm is AES256-CBC ( 256-bit Advanced Encryption Standard in Cipher Block Chaining mode)

db.<colname>.stats().wiredTiger.creationString

Additional Considerations:

• Backup the mongosecurekey securely to avoid data loss.
• Monitor the MongoDB logs for any potential issues or warnings related to encryption at rest.
• Regularly update and rotate the local key for improved security.

Wrapping Up:

• Hurray😇! Our MongoDB deployment is now encrypted at rest using a local master key.

• Enabling encryption at rest is a crucial step in securing  MongoDB deployment. By following this step-by-step guide, we have successfully deployed MongoDB with encryption at rest using a local key. Remember to always prioritize security measures to safeguard  data. Happy coding!