Skip to main content

Encryption at REST

Encryption at rest refers to the practice of encrypting data when it is stored on disk, as opposed to encryption in transit, which protects data as it moves across a network. MongoDB Enterprise offers support for encryption at rest, allowing you to secure your data without requiring changes to your application or affecting database performance.

Types of Encryption at Rest in MongoDB

  1. WiredTiger Encrypted Storage Engine: MongoDB's default storage engine, WiredTiger, supports built-in encryption at rest. This encryption is transparent, meaning that it doesn't require any application-level changes.

  2. Filesystem Encryption: You can also use third-party solutions to encrypt the entire filesystem where MongoDB stores its data files.

  3. Cloud Provider Encryption: If you're using a managed MongoDB service like Atlas, the cloud provider typically offers built-in encryption at rest.

WiredTiger Encrypted Storage Engine

To enable WiredTiger's encryption at rest, you can specify encryption options in your mongod.conf configuration file:

security:
  enableEncryption: true
  encryptionKeyFile: /path/to/encryption-key

Or you can specify these options on the command line when starting mongod:

mongod --enableEncryption --encryptionKeyFile /path/to/encryption-key

Here, the encryptionKeyFile is a path to a key file that contains the encryption key used by WiredTiger.

Generating an Encryption Key

You can generate a suitable encryption key using OpenSSL:

openssl rand -base64 32 > /path/to/encryption-key

Considerations

  1. Key Management: Managing encryption keys is a critical aspect of any encryption strategy. MongoDB Enterprise supports integration with a Key Management Service (KMS) for secure key management.

  2. Performance: Encryption at rest can have a performance impact, although it's generally minimal with modern hardware that supports hardware-accelerated encryption.

  3. Compatibility: Ensure that your MongoDB drivers and clients support encryption at rest if required.

  4. Backup: Remember that backups of your MongoDB data should also be encrypted.

  5. Regulatory Compliance: Encryption at rest is often a requirement for compliance with regulations such as GDPR, HIPAA, or PCI-DSS.

info

Learn more about encryption at rest here