Why Encryption required:
Data breach can ruin business completely so to keep data safe is also responsibility of DBA so data encryption can help here.
As per Security and privacy standards like HIPAA, PCI-DSS and GDPR.
running a RPM-based distribution, such as Red Hat Enterprise Linux or CentOS, use the yum package manager, by running the following command on server1
- yum install https://repo.percona.com/yum/percona-release-latest.noarch.rpm
- yum install Percona-Server-MongoDB-36
- systemctl start mongod
- cd /tmp
- wget
- unzip vault_1.3.2_linux_amd64.zip
- cd vault
- mv vault /usr/bin/
- In transit encryption which can be achieved by SSL connection or secure connection.
- At rest encryption which is basically key protection against a data breach and independent of application.
- It protects from inside threats.
- Transparent to application.
- DBA can own independently.
- Need to manage keys which would be separate for each node.
- No in memory encryption.
- Loss of keys can ruin things.
Mongodb without encryption:
After started mongodb. Just insert some dummy data to test encryption. Initially, mongodb was started with default setting and here are some results to port data and validate encryption.
If we’ll find data directory and grep with some keyword like Mike then we can find wire tiger data file in filesystem like below:
So encryption comes in picture to
protect data and Below are different approaches to enable encryption in
mongodb.
Node Encryption with locally stored key file :
For node encryption, We can encrypt
stored data through locally stored key files. Below are steps which needs to follow for same.
First generate keyfile. After keyfile generation, need to change in mongo config file under security section as shown below:
- systemctl stop mongod
- rm -rf /var/lib/mongo/* (Remove previously stored data)
- openssl rand -base64 32 > /var/lib/mongo/keyfile (Key would be generated)
- chmod 600 /var/lib/mongo/keyfile ( Key should be secure)
- vim /etc/mongod.conf (under security section configure below parameters)
- systemctl start mongod
- systemctl status mongod
To test data file:
First generate some data as we follow below json queries to put dummy data.
Then run below command on Linux to
ensure files are encrypted.
- cd /var/lib/mongo/
- grep
"Mike" collection-*.wt
Note: You should not get any file with
above grep command which ensures, data is encrypted.
Node Encryption with key stored in vault: vault setup
If our database server gets compromise, then we lost data and keys both so easy to decrypt data. Best way to encrypt node with key which are stored externally. Here we are using harshicrop vault to manage master key.
Here are steps to configure vault setup for mongodb data encryption:
- mkdir /etc/vault
- cd /etc/vault/
- vim /etc/vault/vault.hcl (created vault file)
Note: We can customize port number but make sure which is accessible from mongodb server.
- vim ssl.conf(Generate SSL certificates)
- openssl req -config ssl.conf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout vault.key -out vault.crt
- cat vault.key vault.crt > vault.pem
- chmod 400 vault.crt vault.key vault.pem
- export VAULT_CACERT=/etc/vault/vault.crt
- export VAULT_ADDR='https://192.168.42.89:8200'
Then start vault server by below command:
- vault server -config=/etc/vault/vault.hcl >> /var/log/vault.log 2>&1 &
- tail -f /var/log/vault.log
Now, vault server has been started and running up. Now time to initialize vault, store unseal keys and root token by using below commands.
- vault operator init
Note: We need to keep these keys and token safe and save which will be used further to unseal vault and enable login. Only after login, we would be able to create policies. Below are steps to unseal and login in vault:
- vault operator unseal rEeierV5ZZN7okc+7TVfnQEOQOh6G7yy/V/d3b4jB5AQ (use any 3 keys)
You can see sealed status and unseal
progress in above snippet. After 3 successful attempt, vault would be unsealed
and you can login with root token as shown below.
Ø vault
login s.talZYpIaLxQZenUZp5mkiQCN
- vault secrets enable -path secret kv-v2 (To enable screate path. Note: PSMDB only support kv-v2)
- vault policy write mongodb-policy mongodb.hcl (To upload policy on vault)
- vault token create -policy=mongodb-policy (To create access token which to be used by mongodb )
Keep this token save as this will be used in mongodb config. And we are good to go with vault setup.
Node Encryption with key stored in vault: Mongo setup:
Once vault is ready to use and we have
policy token with us. Here are some steps to integrate with mongodb
- chown mongod:mongod /etc/mongodb/token /etc/mongodb/vault.crt
- chmod 400 /etc/mongodb/token /etc/mongodb/vault.crt
Then put same in /etc/mongod.conf the
Vault configuration under the security section.
Note: You will find value of secret parameter
in mongo policy which is written in vault followed by hostname of mongodb
server.
- systemctl start mongod
- systemctl status mongod
Test case, you can repeat same which
is followed in step 1 and step 2.
Master key Rotation:
To rotate master key, We need to add just one parameter (rotateMasterKey: true) temporarily in mongo config file and take restart. Once keys rotated, just comment this parameter and start mongodb.
The above is simple guide to enable data encryption at Rest for mongodb.
