Encryption at Rest / Encryption at Rest in Enterprise Advanced Deployments
Code Summary: Enable Encryption at Rest
Below is the security section from a mongod configuration file that enables and configures security features for a MongoDB instance that is part of a replica set:
security:
authorization: enabled
enableEncryption: true
kmip:
keyIdentifier: "myMasterKey"
serverName: "kmip.example.com"
port: 5696
serverCAFile: /etc/ssl/kmip-server-cert.pem
clientCertificateFile: /etc/ssl/kmip-client-cert.pem
clientCertificatePassword: "passwordForClientCert"
authorization: enabled- Enforces role-based access control ensuring users can only perform actions they are authorized for.
enableEncryption: true- Enables encryption-at-rest ensuring data is encrypted on disk and can only be decrypted using encryption keys managed by the KMIP server.
Under kmip, we configure MongoDB to securely communicate with the KMIP server to retrieve and manage encryption keys using TLS/SSL with certificate files and authentication.
keyIdentifier: "myMasterKey"- Specifies the unique identifier for the master key used for encryption. The KMIP server uses this key to encrypt and decrypt the data encryption keys.
serverName: "kmip.example.com"- Specifies the hostname or domain name of the KMIP server. MongoDB will communicate with this server to retrieve and manage encryption keys.
port: 5696- Configures the port number on which the KMIP server is listening.
serverCAFile: /etc/ssl/kmip-server-cert.pem- Specifies the path to the CA (Certificate Authority) certificate used to verify the identity of the KMIP server. This ensures secure communication via TLS/SSL.
clientCertificateFile: /etc/ssl/kmip-client-cert.pem- Specifies the path to the client certificate that MongoDB uses to authenticate itself when connecting to the KMIP server.
clientCertificatePassword: "passwordForClientCert"- Provides the password to unlock the private key tied to the client certificate. This is needed for secure client authentication.