Content Store encryption
The Content Store can run in encrypted mode. It does this by utilizing the encryption abilities of the WiredTiger storage engine that is used by MongoDB. The WiredTiger storage engine allows the data files (collections and indexes) to be encrypted as they are being written to disk. This secures your Content Store which has several advantages, like:
- If someone gets a hold of your data files or backup, they will not be able to open them, as they don’t have the encryption key that encrypted the data.
- No other software installed on the server can open the files or intercept the data at the Operating System level. Unlike direct disk encryption, where the OS can read encrypted data.
Note: Data encryption should not be confused with authentication. Your data is only secured at rest! It is strongly advised to implement authentication to your MongoDB instance as well.
Prerequisite
- Mongo Enterprise Server version 5.x or higher
- Empty database (check if folder
data
is empty, if not, make a backup of the data and delete existing files)
Running an instance with encryption using a local key file
Create the base64 encoded key file with a 32-character string. You can generate the encoded key file using any method you prefer. For example with OpenSSL,
openssl rand -base64 32 > mongodb-keyfile
Add to your cfg file: Program Files/mongodb/server/6.0/bin/mongod.cfg
the security settings:
security:
enableEncryption: true
encryptionKeyFile: C:\Program Files\MongoDB\Server\6.0\bin\mongodb-keyfile
Run the instance with new configuration as a service by following cmd:
"C:\Program Files\MongoDB\Server\6.0\bin\mongod.exe" --config "C:\Program Files\MongoDB\Server\6.0\bin\mongod.cfg" --service
If already installed as a service, make sure the data directory is empty and restart your service after changing the settings.
Note: MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data. Create backups of the collections and import them after running a new instance with a new key file. The data directory must be empty when creating an encrypted instance._
MongoDB also supports integration with a third-party key management appliance via the Key Management Interoperability Protocol (KMIP). Please refer to the MongoDB documentation for more information.