Monday, September 7

MongoDB Data Encryption with Harshicrop Vault

Why Encryption required

Data breach can ruin business completely so to keep data safe is also responsibility of DBA so data encryption can help here.
As per Security and privacy standards like HIPAA, PCI-DSS and GDPR.

Prerequisites:

There is some software which should be installed on local machine before creating an application. 

    • Percona Server For MongoDB 3.6 and above
    • Vault 1.3 
    • openssl 

Installation Steps:

 1.Install Mongodb on RHEL/CentOS 

If you are running a RPM-based distribution, such as Red Hat Enterprise Linux or CentOS, use the yum package manager, by running the following command on server1

    • yum install https://repo.percona.com/yum/percona-release-latest.noarch.rpm
    • yum install Percona-Server-MongoDB-36
    • systemctl start mongod
 2.Install Vault: 

Percona Server for MongoDB provides HashiCorp Vault integration which only support the HashiCorp Vault backend with KV Secrets Engine -Version 2 (API) with versioning enabled. Install vault by running below commands on server2 : 

    • cd /tmp
    • wget 
    • unzip vault_1.3.2_linux_amd64.zip
    • cd vault
    • mv vault /usr/bin/
Database Encryption and Test data encryption at rest: 

There are below multiple way to encrypt data. In Use encryption which is also known as application level encryption.
  • In transit encryption which can be achieved by SSL connection or secure connection. 
  • At rest encryption which is basically key protection against a data breach and independent of application. 

Here we are discussing more about data encryption at Rest. Here are some pros and cons for database level encryption.

 Pros:
    • It protects from inside threats.
    • Transparent to application.
    • DBA can own independently. 
 Cons: 

    • Need to manage keys which would be separate for each node.
    • No in memory encryption.
    • Loss of keys can ruin things. 

Mongodb without encryption:

After started mongodb. Just insert some dummy data to test encryption. Initially, mongodb was started with default setting and here are some results to port data and validate encryption.

If we’ll find data directory and grep with some keyword like Mike then we can find wire tiger data file in filesystem like below:

So encryption comes in picture to protect data and Below are different approaches to enable encryption in mongodb.

Node Encryption with locally stored key file :

For node encryption, We can encrypt stored data through locally stored key files. Below  are steps which needs to follow for same.

First generate keyfile. After keyfile generation, need to change in mongo config file under security section as shown below:

    • systemctl stop mongod
    • rm -rf /var/lib/mongo/* (Remove previously stored data)
    •  openssl rand -base64 32 > /var/lib/mongo/keyfile  (Key would be generated)
    • chmod 600 /var/lib/mongo/keyfile   ( Key should be secure)
    • vim /etc/mongod.conf     (under security section configure below parameters) 
    • systemctl start mongod
    • systemctl status mongod

To test data file:

First generate some data as we follow below json queries to put dummy data.

 

Then run below command on Linux to ensure files are encrypted.

    • cd /var/lib/mongo/
    •  grep "Mike" collection-*.wt

Note: You should not get any file with above grep command which ensures, data is encrypted. 

Node Encryption with key stored in vault: vault setup

If our database server gets compromise, then we lost data and keys both so easy to decrypt data. Best way to encrypt node with key which are stored externally. Here we are using harshicrop vault to manage master key.

 

Here are steps to configure vault setup for mongodb data encryption:

    • mkdir /etc/vault
    • cd /etc/vault/
    • vim /etc/vault/vault.hcl  (created vault file)

 

Note: We can customize port number but make sure which is accessible from mongodb server.

    • vim ssl.conf(Generate SSL certificates)

  • openssl req -config ssl.conf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout vault.key -out vault.crt

  • cat vault.key vault.crt > vault.pem
  • chmod 400 vault.crt vault.key vault.pem
  • export VAULT_CACERT=/etc/vault/vault.crt
  • export VAULT_ADDR='https://192.168.42.89:8200'

Then start vault server by below command:

    • vault server -config=/etc/vault/vault.hcl >> /var/log/vault.log 2>&1 &
    • tail -f /var/log/vault.log

Now, vault server has been started and running up. Now time to initialize vault, store unseal keys and root token by using below commands.

    • vault operator init  

Note: We need to keep these keys and token safe and save which will be used further to unseal vault and enable login. Only after login, we would be able to create policies. Below are steps to unseal and login in vault:

    •  vault operator unseal rEeierV5ZZN7okc+7TVfnQEOQOh6G7yy/V/d3b4jB5AQ  (use any 3 keys)

You can see sealed status and unseal progress in above snippet. After 3 successful attempt, vault would be unsealed and you can login with root token as shown below.

Ø  vault login s.talZYpIaLxQZenUZp5mkiQCN      

  • vault secrets enable -path secret kv-v2  (To enable screate path. Note: PSMDB only support kv-v2)
  • vault policy write mongodb-policy mongodb.hcl (To upload policy on vault)
  • vault token create -policy=mongodb-policy  (To create access token which to be used by mongodb )

Keep this token save as this will be used in mongodb config. And we are good to go with vault setup.

Node Encryption with key stored in vault: Mongo setup:

  Then place the token value in the token file and copy the contents of vault.crt from the Vault server

            

  • chown mongod:mongod /etc/mongodb/token /etc/mongodb/vault.crt
  • chmod 400 /etc/mongodb/token /etc/mongodb/vault.crt

Then put same in /etc/mongod.conf the Vault configuration under the security section.


        

Note: You will find value of secret parameter in mongo policy which is written in vault followed by hostname of mongodb server. 

    • systemctl start mongod
    •  systemctl status mongod

Test case, you can repeat same which is followed in step 1 and step 2.


 Master key Rotation:

To rotate master key, We need to add just one parameter (rotateMasterKey: true) temporarily in mongo config file and take restart. Once keys rotated, just comment this parameter and start mongodb.

      

    

The above is simple guide to enable data encryption at Rest for mongodb. 

No comments:

Post a Comment