Updated March 8, 2023
Definition of MongoDB Encryption
Mongodb encryption process involves to generate a master key of an entire database, after generating master key we are creating the unique keys for every database. Then we are encrypting our data with the database which was we have created, we can also encrypt our whole database by using master key. Any of the database involves the two forms either data at rest or data in motion, data at rest is the forms where data is not moving anywhere its static data forms. Data in motions will moves the data in network its static data forms.
Syntax:
Below is the syntax of encryption in MongoDB.
1) Connect MongoDB instance by using encryption –
# mongo –ssl –host <Instance hostname> --sslCAFile <Name of certificate authority file name>
2) Connect MongoDB instance by using client certificate and certificate authority file –
# mongo –ssl –host <Instance hostname> --sslPEMKeyFile (PEM key file name) --sslCAFile <Name of certificate authority file name>
3) Rotate KMIP master encryption key –
# mongod –enableEncryption (enable encryption while rotating key) –kmipRotateMasterKey (Rotate KMIP master key) \ --kmipServerName <hostname of KMIP server> \--kmipServerCAFile <Certificate authority filename> --kmipClientCertificateFile <client certificate file name>
Parameter description syntax of MongoDB encryption are as follows.
1) Mongo – This parameter is used to login into MongoDB instance. In MongoDB we can login database instance using mongo command.
2) SSL – This is defined as login into the MongoDB database instance by using SSL authentication.
3) Host – The host and hostname is defined as IP or hostname used to login specified database instance in MongoDB. While login into any MongoDB database instance we need to use hostname.
4) sslCAFile – This is certificate authority file used to verify that certificate is present or not on database server. This file is used while login into the database server by using encryption.
5) sslPEMKeyFile – This file contains the certificate of mongo shell and this key is present on mongos or mongod instance.
6) enableEncryption – This parameter is define as use of encryption at the time of rotating master key.
7) kmipRotateMasterKey – This parameter is used to rotate master key of KMIP server. Using this parameter we can rotate master key in MongoDB.
8) kmipServerName – This is nothing but the KMIP server hostname which was used at the time of rotating master key.
9) kmipServerCAFile – This is certificate authority file of KMIP server. This file is used while rotating the master key.
10) kmipClientCertificateFile – This is client certificate file of KMIP server. This file is used while rotating the master key.
How encryption works in MongoDB?
MongoDB involves two types of data encryption forms.
1) Data at rest encryption
2) Data in motion encryption
To encrypt the data using data at rest encryption enterprise MongoDB will provides the storage based and native symmetric key.
We can say that data at rest encryption is the data not moving over the network, we can say that it’s in static forms. Data at rest database encryption is also called as transparent data encryption its abbreviation is TDE. MongoDB uses the AES 256-bit standard encryption algorithm to encrypt the database. MongoDB uses the same encryption cipher key to encrypt as well as decrypt the data.
Data in motion is defined as data is moving over the network, we can say that its steam forms. MongoDB encryption process involves below steps.
1) First step is generate master key to the whole database.
2) Second step is generate unique key for every database.
3) Third step is encrypt the database data using key which was we have generated in first and second step.
4) Fourth step is encrypt whole database by using the master key which was we have generated in first step.
In MongoDB, data is transacted between server application and database in two ways.
TLS and SSL are most secure protocols of encryption to send and receive data from two systems. This protocols is used in MongoDB encryption is some PEM file which was issued by the certificate authority. There are multiple settings available in MongoDB to configure the TLS and SSL protocol for client certificates.
We can also use sslCAFile to create certificate. We can store this file in MongoDB instance to use the encryption while login into the MongoDB instance. We can also rotate our encryption key. We can rotate our key by using KMIP master rotation.
Example
Below example shows encryption in MongoDB. Below steps shows how to use encryption in MongoDB.
1) First step is to create locally managed key file to manage the key management service. We can create by using OpenSSL. We have created the file name as mongodb_client.key.
Code:
# mkdir /encryption
# touch /encryption/mongodb_client.key
# openssl rand -hex 50 | head -c 96 | base64 | tr -d '\n' > /encryption/mongodb_client.key
# chmod 600 /encryption/mongodb_client.key
# chown mongod:mongod /encryption/mongodb_client.key
# cat /encryption/mongodb_client.key
Figure – Example to create locally managed key file to manage the key management service.
2) After creating the key file, open the mongo shell command and login by using the keyfile, –shell, and –nodb option.
Code:
# mongo (Command connect to DB) --shell (Parameter) --nodb (Parameter) --eval (Parameter) "var LOCAL_KEY = cat('https://cdn.educba.com/encryption/mongodb_client.key')"
LOCAL_KEY
Figure – Example open the mongo shell command and login by using the keyfile.
3) Third step involves load the documents of encryption using client-side encryption configuration.
Code:
var ClientSideFieldLevelEncryptionOptions = {
"keyVaultNamespace" : "MongoDB._encryption",
"kmsProviders" : {
"local" : {
"key" : BinData (0, LOCAL_KEY)
}
}
}
Figure – Example to load the documents of encryption using client-side encryption configuration.
4) After setting configuration connect to the local host database.
Code:
csfleDatabaseConnection = Mongo(ClientSideFieldLevelEncryptionOptions)
Figure – Example to connect the local host database.
5) Fifth stage is show the database, connect to the database and show the collections from connected database.
Code:
show dbs
use MongoDB
show collections
Figure – show the database, connect to the database and show the collections.
Conclusion
Data at rest encryption and data in motion encryption has two forms of MongoDB data encryption. Data encryption is very important in MongoDB to secure data. Encryption involves generate master key for the database. We can rotate our master key using KMIP master rotation algorithm.
Recommended Articles
This is a guide to MongoDB Encryption. Here we discuss the Definition, How encryption works in MongoDB? examples with code implementation respectively. You may also have a look at the following articles to learn more –