Skip to main content
Version: Latest (4.54.0)

Content Store Encryption

The Content Store can run in encrypted mode. It does this by utilizing the encryption abilities of the WiredTiger storage engine that is used by MongoDB. The WiredTiger storage engine allows the data files (collections and indexes) to be encrypted as they are being written to disk. This secures your Content Store which has several advantages, like:

  1. If someone gets a hold of your data files or backup, they will not be able to open them, as they don’t have the encryption key that encrypted the data.
  2. No other software installed on the server can open the files or intercept the data at the Operating System level. Unlike direct disk encryption, where the OS can read encrypted data.
note

Data encryption should not be confused with authentication. Your data is only secured at rest! It is strongly advised to implement authentication to your MongoDB instance as well.

Prerequisite

  • Mongo Enterprise Server version 5.x or higher
  • Empty database (check if folder data is empty, if not, make a backup of the data and delete existing files)

Running an instance with encryption using a local key file

Create the base64 encoded key file with a 32-character string. You can generate the encoded key file using any method you prefer. For example with OpenSSL,

openssl rand -base64 32 > mongodb-keyfile

Add to your cfg file: Program Files/mongodb/server/6.0/bin/mongod.cfg the security settings:

security:
enableEncryption: true
encryptionKeyFile: C:\Program Files\MongoDB\Server\6.0\bin\mongodb-keyfile

Run the instance with new configuration as a service by following cmd: "C:\Program Files\MongoDB\Server\6.0\bin\mongod.exe" --config "C:\Program Files\MongoDB\Server\6.0\bin\mongod.cfg" --service

If already installed as a service, make sure the data directory is empty and restart your service after changing the settings.

note

MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data. Create backups of the collections and import them after running a new instance with a new key file. The data directory must be empty when creating an encrypted instance._

MongoDB also supports integration with a third-party key management appliance via the Key Management Interoperability Protocol (KMIP). Please refer to the MongoDB documentation for more information.