Open Source Transparent Database Encryption for MongoDB

Peter Schwaller – Senior Director Server Engineering, Percona

2

Agenda

• Why encrypt?

• What gets encrypted?

• What is supported where?

• How does it all work?

• Future of open source solutions

3

Why Encrypt?

• Can help ensure compliance with security and privacy standards, including PCI-DSS, HIPAA, and FERPA.

• Ensures that exposure of DB files doesn’t lead to exposure of the stored data.

4

What is Supported Where?

Feature MongoDB Community MongoDB Enterprise Percona Server for MongoDB

Wired Tiger encryption No Yes Yes

Local Key File No Yes Yes

KMIP key management No Yes No

Vault key management No No Planned

MongoRocks encryption N/A N/A No

mmapv1 encryption No No No

redactClientLogData No Yes Yes

5

What Gets Encrypted?

• Wired Tiger storage engine data• Collections, indexes, journal, Wired Tiger log files, etc

• MongoDB log files are not encrypted• Use security.redactClientLogData to help obscure log file data

6

Getting Started (Local Keyfile Example)

1. Start with an empty datadir

2. Create a keyfile• openssl rand -base64 32 > mongodb-keyfile

3. Update permissions• chmod 600 mongodb-keyfile

4. Update mongod start parameters• --enableEncryption

• --encryptionKeyFile <path to keyfile>

7

Under the Hood

• Each database is encrypted with an internally generated encryption key

• Master Key or Keyfile is used to encrypt the internal keystore

• Encryption performed at the page level which improves performance

• If using a key manager, you can use –kmipRotateMasterKey to reencryptthe internal keystore• This does NOT change the database/collection data on disk

• --encryptionCipherMode [AES256-CBC, AES256-GCM]

8

Rotate Encryption of Data

• Cannot change internal database encryption key once data exists

• Must start a fresh replica set member and sync from scratch

9

What’s Next in Percona Server for MongoDB?

• Vault key management• Enables solutions compliant with standards

• Align with Vault keyring support in Percona Server for MySQL

• Master key rotation

• Depending upon user interest, AWS KMS integration

10

Rate My Session

11

Thank You Sponsors!!