On this page本页内容
This page discusses server configuration to support encryption at rest. 本页讨论支持静态加密的服务器配置。If you use MongoDB Atlas, your data is already encrypted. 如果您使用MongoDB Atlas,您的数据已经加密。MongoDB manages Atlas encryption at the cloud provider level, but you can also use your own key management solution. MongoDB在云提供商级别管理Atlas加密,但您也可以使用自己的密钥管理解决方案。See the Atlas key management documentation for details.有关详细信息,请参阅Atlas密钥管理文档。
MongoDB Enterprise 3.2 introduces a native encryption option for the WiredTiger storage engine. MongoDB Enterprise 3.2为WiredTiger存储引擎引入了本机加密选项。Outside Atlas, encryption is only available for enterprise installations that use the WiredTiger Storage Engine.在Atlas之外,加密仅适用于使用WiredTiger存储引擎的企业安装。
Secure management of the encryption keys is a critical requirement for storage encryption. MongoDB uses a master key that is not stored with the MongoDB installation. 加密密钥的安全管理是存储加密的关键要求。MongoDB使用MongoDB安装时未存储的主密钥。Only the master key is externally managed, other keys can be stored with your MongoDB instance.只有主密钥是外部管理的,其他密钥可以与MongoDB实例一起存储。
MongoDB's encrypted storage engine supports two key management options for the master key:MongoDB的加密存储引擎支持主密钥的两个密钥管理选项:
MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data. MongoDB无法加密现有数据。当您使用新密钥启用加密时,MongoDB实例不能有任何预先存在的数据。If your MongoDB installation already has existing data, see Encrypt Existing Data at Rest for additional steps.如果您的MongoDB安装已经有现有数据,请参阅在Rest中加密现有数据以了解其他步骤。
MongoDB Enterprise supports secure transfer of keys with compatible key management appliances. Using a key manager allows for the keys to be stored in the key manager.MongoDB Enterprise支持使用兼容的密钥管理设备安全传输密钥。使用密钥管理器允许密钥存储在密钥管理器中。
MongoDB Enterprise supports secure transfer of keys with Key Management Interoperability Protocol (KMIP) compliant key management appliances. Any appliance vendor that provides support for KMIP is expected to be compatible.MongoDB Enterprise使用符合密钥管理互操作协议(KMIP)的密钥管理设备支持密钥的安全传输。任何提供KMIP支持的设备供应商都应该是兼容的。
For a list of MongoDB's certified partners, refer to the Partners List.有关MongoDB认证合作伙伴的列表,请参阅合作伙伴列表。
Using a key manager meets regulatory key management guidelines, such as HIPAA, PCI-DSS, and FERPA, and is recommended over the local key management.使用密钥管理器符合监管密钥管理准则,如HIPAA、PCI-DSS和FERPA,并建议优先于本地密钥管理。
MongoDB Enterprise on Windows no longer supports Windows上的MongoDB Enterprise不再支持AES256-GCM. AES256-GCM。This cipher is now available only on Linux.此密码现在仅在Linux上可用。
To create a new key, connect 要创建新密钥,请使用以下选项启动mongod to the key manager by starting mongod with the following options:mongod,将mongod连接到密钥管理器:
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
The following operation creates a new master key in your key manager which 下面的操作在密钥管理器中创建一个新的主密钥,mongod uses to encrypt the keys mongod generates for each database.mongod使用它来加密mongod为每个数据库生成的密钥。
mongod --enableEncryption --kmipServerName <KMIP Server HostName> \ --kmipPort <KMIP server port> --kmipServerCAFile ca.pem \ --kmipClientCertificateFile client.pem
When connecting to the KMIP server, the 当连接到KMIP服务器时,mongod verifies that the specified --kmipServerName matches the Subject Alternative Name SAN (or, if SAN is not present, the Common Name CN) in the certificate presented by the KMIP server. mongod验证指定的--kmipServerName是否与KMIP服务器提供的证书中的主题备用名称SAN(或者,如果SAN不存在,则为通用名称CN)匹配。[1] If 如果存在SAN is present, mongod does not match against the CN. SAN,则mongod不与CN匹配。If the hostname does not match the 如果主机名与SAN (or CN), the mongod will fail to connect.SAN(或CN)不匹配,则mongod将无法连接。
To verify that the key creation and usage was successful, check the log file. 要验证密钥创建和使用是否成功,请检查日志文件。If successful, the process will log the following messages:如果成功,该过程将记录以下消息:
[initandlisten] Created KMIP key with id: <UID> [initandlisten] Encryption key manager initialized using master key with id: <UID>
You can use an existing master key your KMIP server created and manages. To use an existing key, connect 您可以使用KMIP服务器创建和管理的现有主密钥。要使用现有密钥,请使用以下选项启动mongod to the key manager by starting mongod with the following options:mongod,将mongod连接到密钥管理器:
--enableEncryption--kmipServerName--kmipPort--kmipServerCAFile--kmipClientCertificateFile--kmipKeyIdentifierInclude additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
mongod --enableEncryption --kmipServerName <KMIP Server HostName> \ --kmipPort <KMIP server port> --kmipServerCAFile ca.pem \ --kmipClientCertificateFile client.pem --kmipKeyIdentifier <UID>
When connecting to the KMIP server, the 当连接到KMIP服务器时,mongod verifies that the specified --kmipServerName matches the Subject Alternative Name SAN (or, if SAN is not present, the Common Name CN) in the certificate presented by the KMIP server. mongod验证指定的--kmipServerName是否与KMIP服务器提供的证书中的主题备用名称SAN(或者,如果SAN不存在,则为通用名称CN)匹配。[1] If 如果存在SAN,则SAN is present, mongod does not match against the CN. mongod不与CN匹配。If the hostname does not match the 如果主机名与SAN(or CN), the mongod will fail to connect.SAN(或CN)不匹配,则mongod将无法连接。
| [1] | (1, 2) |
Using the keyfile method does not meet most regulatory key management guidelines and requires users to securely manage their own keys.使用密钥文件方法不符合大多数监管密钥管理准则,需要用户安全地管理自己的密钥。
The safe management of the keyfile is critical.密钥文件的安全管理至关重要。
To encrypt using a keyfile, you must have a base64 encoded keyfile that contains a single 16 or 32 character string. 要使用密钥文件进行加密,必须具有包含单个16或32个字符串的base64编码密钥文件。The keyfile must only be accessible by the owner of the 密钥文件只能由mongod process.mongod进程的所有者访问。
Create the base64 encoded keyfile with the 16 or 32 character string. 使用16或32个字符串创建base64编码的密钥文件。You can generate the encoded keyfile using any method you prefer. 您可以使用您喜欢的任何方法生成编码的密钥文件。For example,例如
openssl rand -base64 32 > mongodb-keyfile
Update the file permissions.更新文件权限。
chmod 600 mongodb-keyfile
To use the key file, start 要使用密钥文件,请使用以下选项启动mongod with the following options:mongod:
--enableEncryption,--encryptionKeyFile <path to keyfile>,mongod --enableEncryption --encryptionKeyFile mongodb-keyfile
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
Verify if the encryption key manager successfully initialized with the keyfile. 验证加密密钥管理器是否使用密钥文件成功初始化。If the operation was successful, the process will log the following message:如果操作成功,进程将记录以下消息:
[initandlisten] Encryption key manager initialized with key file: <path to keyfile>
MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data.MongoDB无法加密现有数据。当您使用新密钥启用加密时,MongoDB实例不能有任何预先存在的数据。
If you are using a replica set that does have existing data, use a rolling initial sync to encrypt the data.如果您使用的副本集确实包含现有数据,请使用滚动初始同步来加密数据。
For example, consider a replica set with three members. 例如,考虑一个具有三个成员的复制集。The replica set is in use and holds data that you want to encrypt. 副本集正在使用中,其中包含要加密的数据。These are the steps you would take to encrypt the data at rest:以下是您加密静态数据所需的步骤:
Follow these steps to prepare the server:按照以下步骤准备服务器:
mongod on the secondary server.mongod。dbPath. dbPath中的数据。diagnostic.data directory to preserve potentially-useful troubleshooting data in the event of an issue. diagnostic.data目录,以在出现问题时保留可能有用的故障排除数据。dbPath.dbPath中的文件和目录。Start the secondary server with encryption enabled. 启动启用加密的辅助服务器。The mongod instance creates a new keystore.mongod实例创建一个新的密钥库。
Import the data from the primary. 从主数据库导入数据。Start the mongod process, specifying Replication Options as appropriate.启动mongod进程,根据需要指定复制选项。
mongod performs an initial sync and encrypts the data during the sync up process.在同步过程中执行初始同步并加密数据。
When the first secondary has finished importing and encrypting the data, repeat the process on the other secondary 当第一个辅助服务器完成数据导入和加密后,在其他辅助服务器mongod instances.mongod实例上重复该过程。
When the all the secondaries have been encrypted, 当所有的辅助设备都已加密后,请关闭step down the primary. Eligible secondaries will elect a new primary.primary。符合条件的secondary将选出新的primary。
The old primary is now a secondary. 旧的primary现在是secondary。Repeat the steps to remove the unencrypted data and then run an initial sync.重复上述步骤以删除未加密的数据,然后运行初始同步。