On this page本页内容
Encryption at rest, when used in conjunction with transport encryption and good security policies that protect relevant accounts, passwords, and encryption keys, can help ensure compliance with security and privacy standards, including HIPAA, PCI-DSS, and FERPA.当与传输加密和保护相关帐户、密码和加密密钥的良好安全策略结合使用时,静态加密可以帮助确保符合安全和隐私标准,包括HIPAA、PCI-DSS和FERPA。
Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。
MongoDB Enterprise 3.2 introduces a native encryption option for the WiredTiger storage engine. MongoDB Enterprise 3.2为WiredTiger存储引擎引入了本机加密选项。This feature allows MongoDB to encrypt data files such that only parties with the decryption key can decode and read the data.此功能允许MongoDB对数据文件进行加密,以便只有拥有解密密钥的各方才能解码和读取数据。
MongoDB Enterprise on Windows no longer supports Windows上的MongoDB Enterprise不再支持AES256-GCM. AES256-GCM。This cipher is now available only on Linux.此密码现在仅在Linux上可用。
If encryption is enabled, the default encryption mode that MongoDB Enterprise uses is the 如果启用了加密,MongoDB Enterprise使用的默认加密模式是通过OpenSSL的AES256-CBC (or 256-bit Advanced Encryption Standard in Cipher Block Chaining mode) via OpenSSL. AES256-CBC(或密码块链接模式中的256位高级加密标准)。AES-256 uses a symmetric key; i.e. the same key to encrypt and decrypt text. AES-256使用对称密钥;即加密和解密文本的相同密钥。MongoDB Enterprise for Linux also supports authenticated encryption MongoDB Enterprise for Linux还支持认证加密AES256-GCM (or 256-bit Advanced Encryption Standard in Galois/Counter Mode). AES256-GCM(或Galois/Counter模式下的256位高级加密标准)。FIPS mode encryption is also available.FIPS模式加密也可用。
For encrypted storage engines that use 对于使用AES256-GCM encryption mode, AES256-GCM requires that every process use a unique counter block value with the key.AES256-GCM加密模式的加密存储引擎,AES256-GCM要求每个进程使用唯一的计数器块值和密钥。
For encrypted storage engine configured with 对于配置AES256-GCM cipher:AES256-GCM密码的加密存储引擎:
mongod is running), MongoDB can detect "dirty" keys on startup and automatically rollover the database key to avoid IV (Initialization Vector) reuse.mongod正在运行)获取的文件进行恢复,MongoDB可以在启动时检测到“脏”键,并自动滚动数据库键以避免IV(初始化向量)重用。However, if you restore from files taken via "cold" backup (i.e. the 但是,如果您从通过“冷”备份获取的文件进行恢复(即mongod is not running), MongoDB cannot detect "dirty" keys on startup, and reuse of IV voids confidentiality and integrity guarantees.mongod未运行),MongoDB在启动时无法检测到“脏”密钥,并且重复使用IV会导致机密性和完整性保证失效。
Starting in 4.2, to avoid the reuse of the keys after restoring from a cold filesystem snapshot, MongoDB adds a new command-line option 从4.2开始,为了避免从冷文件系统快照恢复后密钥的重用,MongoDB添加了一个新的命令行选项--eseDatabaseKeyRollover. --eseDatabaseKeyRollover。When started with the 当使用--eseDatabaseKeyRollover option, the mongod instance rolls over the database keys configured with AES256-GCM cipher and exits.--eseDatabaseKeyRollover选项启动时,mongod实例将滚动使用AES256-GCM密码配置的数据库密钥并退出。
AES256-GCM encryption mode, do not make copies of your data files or restore from filesystem snapshots ("hot" or "cold").AES256-GCM加密模式,请勿复制数据文件或从文件系统快照恢复(“热”或“冷”)。The data encryption process includes:数据加密过程包括:
The encryption occurs transparently in the storage layer; i.e. all data files are fully encrypted from a filesystem perspective, and data only exists in an unencrypted state in memory and during transmission.加密在存储层中透明地发生;即,从文件系统的角度来看,所有数据文件都是完全加密的,数据仅以未加密状态存在于内存和传输过程中。
To encrypt all of MongoDB's network traffic, you can use TLS/SSL (Transport Layer Security/Secure Sockets Layer). 要加密MongoDB的所有网络流量,可以使用TLS/SSL(传输层安全/安全套接字层)。See Configure 请参阅配置mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients.mongod和mongos以获取客户端的TLS/SSL和TLS/SSL配置。
The database keys are internal to the server and are only paged to disk in an encrypted format. 数据库密钥位于服务器内部,仅以加密格式分页到磁盘。MongoDB never pages the master key to disk under any circumstances.MongoDB在任何情况下都不会将主密钥分页到磁盘。
Only the master key is external to the server (i.e. kept separate from the data and the database keys), and requires external management. 只有主密钥在服务器外部(即与数据和数据库密钥分开),需要外部管理。To manage the master key, MongoDB's encrypted storage engine supports two key management options:为了管理主密钥,MongoDB的加密存储引擎支持两种密钥管理选项:
To configure MongoDB for encryption and use one of the two key management options, see Configure Encryption.要配置MongoDB进行加密并使用两个密钥管理选项之一,请参阅配置加密。
Encryption is not a part of replication:加密不是复制的一部分:
Although you could reuse the same key for the nodes, MongoDB recommends the use of individual keys for each node as well as the use of transport encryption.虽然可以为节点重用相同的密钥,但MongoDB建议为每个节点使用单独的密钥,并使用传输加密。
For details, see Rotate Encryption Keys.有关详细信息,请参阅旋转加密密钥。
Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。
Starting in MongoDB 5.3 Enterprise, you can use an external Key Management Interoperability Protocol (KMIP) server to securely manage the keys for encrypting the MongoDB audit log.从MongoDB 5.3 Enterprise开始,您可以使用外部密钥管理互操作协议(KMIP)服务器安全地管理密钥,以加密MongoDB审核日志。
To use a KMIP server with audit log encryption, configure these settings and parameters:要将KMIP服务器与审核日志加密一起使用,请配置以下设置和参数:
auditLog.auditEncryptionKeyIdentifierauditLog.compressionModeauditEncryptionHeaderMetadataFileauditEncryptKeyWithKMIPGetFor testing audit log encryption, you can also use the 为了测试审核日志加密,还可以使用auditLog.localAuditKeyFile setting.auditLog.localAuditKeyFile设置。
For audit log encryption, the audit log destination must be a file. 对于审核日志加密,审核日志目标必须是文件。syslog cannot be used as the destination.无法用作目标。
This section applies if you are not using an external Key Management Interoperability Protocol (KMIP) server to manage keys for encrypting the audit log as shown in the previous section.如果您没有使用外部密钥管理互操作协议(KMIP)服务器来管理用于加密审核日志的密钥,则本节适用,如前一节所示。
The audit log file is not encrypted as a part of MongoDB's encrypted storage engine. 审核日志文件未作为MongoDB加密存储引擎的一部分进行加密。A 作为正常操作的一部分,运行日志记录的mongod running with logging may output potentially sensitive information to log files as a part of normal operations, depending on the configured log verbosity.mongod可能会向日志文件输出潜在的敏感信息,具体取决于配置的日志详细程度。
Use the 使用security.redactClientLogData setting to prevent potentially sensitive information from entering the mongod process log. security.redactClientLogData设置防止潜在的敏感信息进入mongod进程日志。redactClientLogData reduces detail in the log and may complicate log diagnostics.减少日志中的细节,并可能使日志诊断复杂化。
See the log redaction manual entry for more information.有关更多信息,请参阅日志编辑手册条目。
Application Level Encryption provides encryption on a per-field or per-document basis within the application layer.应用程序级加密在应用程序层内以每个字段或每个文档为基础提供加密。
New in version 4.2.在版本4.2中新增。 MongoDB 4.2-series drivers provides a client-side field level encryption framework. MongoDB 4.2系列驱动程序提供了客户端字段级加密框架。For more information, see Client-Side Field Level Encryption.有关更多信息,请参阅客户端字段级加密。
To encrypt full documents, write custom encryption and decryption routines or use a commercial solution.要加密完整文档,请编写自定义加密和解密例程或使用商业解决方案。
For a list of MongoDB's certified partners, refer to the Partners List.有关MongoDB认证合作伙伴的列表,请参阅合作伙伴列表。