Database Encryption for MongoDB Peter Schwaller Senior Director - - PowerPoint PPT Presentation

database encryption for mongodb
SMART_READER_LITE
LIVE PREVIEW

Database Encryption for MongoDB Peter Schwaller Senior Director - - PowerPoint PPT Presentation

May 17, 2023 110 likes •227 views

Open Source Transparent Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona Agenda Why encrypt? What gets encrypted? What is supported where? How does it all work? Future of open

slide-1
SLIDE 1

Open Source Transparent Database Encryption for MongoDB

Peter Schwaller – Senior Director Server Engineering, Percona

slide-2
SLIDE 2

2

Agenda

  • Why encrypt?
  • What gets encrypted?
  • What is supported where?
  • How does it all work?
  • Future of open source solutions
slide-3
SLIDE 3

3

Why Encrypt?

  • Can help ensure compliance with security and privacy standards,

including PCI-DSS, HIPAA, and FERPA.

  • Ensures that exposure of DB files doesn’t lead to exposure of the stored

data.

slide-4
SLIDE 4

4

What is Supported Where?

Feature MongoDB Community MongoDB Enterprise Percona Server for MongoDB Wired Tiger encryption No Yes Yes Local Key File No Yes Yes KMIP key management No Yes No Vault key management No No Planned MongoRocks encryption N/A N/A No mmapv1 encryption No No No redactClientLogData No Yes Yes

slide-5
SLIDE 5

5

What Gets Encrypted?

  • Wired Tiger storage engine data
  • Collections, indexes, journal, Wired Tiger log files, etc
  • MongoDB log files are not encrypted
  • Use security.redactClientLogData to help obscure log file data
slide-6
SLIDE 6

6

Getting Started (Local Keyfile Example)

  • 1. Start with an empty datadir
  • 2. Create a keyfile
  • penssl rand -base64 32 > mongodb-keyfile
  • 3. Update permissions
  • chmod 600 mongodb-keyfile
  • 4. Update mongod start parameters
  • -enableEncryption
  • -encryptionKeyFile <path to keyfile>
slide-7
SLIDE 7

7

Under the Hood

  • Each database is encrypted with an internally generated encryption key
  • Master Key or Keyfile is used to encrypt the internal keystore
  • Encryption performed at the page level which improves performance
  • If using a key manager, you can use –kmipRotateMasterKey to reencrypt

the internal keystore

  • This does NOT change the database/collection data on disk
  • --encryptionCipherMode [AES256-CBC, AES256-GCM]
slide-8
SLIDE 8

8

Rotate Encryption of Data

  • Cannot change internal database encryption key once data exists
  • Must start a fresh replica set member and sync from scratch
slide-9
SLIDE 9

9

What’s Next in Percona Server for MongoDB?

  • Vault key management
  • Enables solutions compliant with standards
  • Align with Vault keyring support in Percona Server for MySQL
  • Master key rotation
  • Depending upon user interest, AWS KMS integration
slide-10
SLIDE 10

10

Rate My Session

slide-11
SLIDE 11

11

Thank You Sponsors!!