Docs HomeMongoDB Manual

Configure Encryption配置加密

On this page本页内容

Overview概述

This page discusses server configuration to support encryption at rest. 本页讨论服务器配置以支持静态加密。If you use MongoDB Atlas, your data is already encrypted. 如果你使用MongoDB Atlas,你的数据已经被加密了。MongoDB manages Atlas encryption at the cloud provider level, but you can also use your own key management solution. MongoDB在云提供商级别管理Atlas加密,但您也可以使用自己的键管理解决方案。See the Atlas key management documentation for details.有关详细信息,请参阅Atlas键管理文档

MongoDB Enterprise 3.2 introduces a native encryption option for the WiredTiger storage engine. Outside Atlas, encryption is only available for enterprise installations that use the WiredTiger Storage Engine.MongoDB Enterprise 3.2为WiredTiger存储引擎引入了本机加密选项。在Atlas之外,加密仅适用于使用WiredTiger存储引擎的企业安装。

Secure management of the encryption keys is a critical requirement for storage encryption. MongoDB uses a master key that is not stored with the MongoDB installation. Only the master key is externally managed, other keys can be stored with your MongoDB instance.加密键的安全管理是存储加密的关键要求。MongoDB使用的主键不与MongoDB安装一起存储。只有主键是外部管理的,其他键可以存储在您的MongoDB实例中。

MongoDB's encrypted storage engine supports two key management options for the master key:MongoDB的加密存储引擎支持主键的两种键管理选项:

  • Integration with a third party key management appliance via the Key Management Interoperability Protocol (KMIP). 通过键管理互操作性协议(KMIP)与第三方键管理设备集成。Recommended推荐
  • Use of local key management via a keyfile.通过键文件使用本地键管理。
Important

MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data. MongoDB无法加密现有数据。当您使用新键启用加密时,MongoDB实例不能有任何预先存在的数据。If your MongoDB installation already has existing data, see Encrypt Existing Data at Rest for additional steps.如果您的MongoDB安装已经有现有数据,请参阅在静止时加密现有数据以了解其他步骤。

Key Manager键管理器

MongoDB Enterprise supports secure transfer of keys with compatible key management appliances. MongoDB Enterprise支持使用兼容的键管理设备安全传输键。Using a key manager allows for the keys to be stored in the key manager.使用键管理器可以将键存储在键管理器中。

MongoDB Enterprise supports secure transfer of keys with Key Management Interoperability Protocol (KMIP) compliant key management appliances.MongoDB Enterprise支持使用符合键管理互操作性协议(KMIP)的键管理设备进行键的安全传输。

For a list of MongoDB's certified partners, refer to the Partners List.有关MongoDB认证合作伙伴的列表,请参阅合作伙伴列表

Tip

Recommended推荐

Using a key manager meets regulatory key management guidelines, such as HIPAA, PCI-DSS, and FERPA, and is recommended over the local key management.使用键管理器符合监管键管理指南,如HIPAA、PCI-DSS和FERPA,并且建议使用本地键管理器。

Prerequisites先决条件

  • Your key manager must support the KMIP communication protocol.键管理器必须支持KMIP通信协议。

    The default KMIP protocol version is 1.2. You can configure MongoDB to use KMIP version 1.0 or 1.1 in the MongoDB server configuration file.默认的KMIP协议版本是1.2。您可以在MongoDB服务器配置文件中将MongoDB配置为使用KMIP 1.0或1.1版本。

  • For an integration with a third-party key management appliance using the KMIP, you should allow the following KMIP operations:对于使用KMIP与第三方键管理设备的集成,您应该允许以下KMIP操作:

    • Create (operation_create)创建(operation_Create
    • Get (operation_get)获取(operation_Get
    • Activate (operation_activate)激活(operation_Activate
  • To authenticate MongoDB to a KMIP server, you must have a valid certificate issued by the key management appliance.要向KMIP服务器验证MongoDB,您必须拥有键管理设备颁发的有效证书。
Note

Changed in version 4.0在4.0版中更改

MongoDB Enterprise on Windows no longer supports AES256-GCM. This cipher is now available only on Linux.Windows上的MongoDB Enterprise不再支持AES256-GCM。此密码现在仅在Linux上可用。

Encrypt Using a New Key使用新键加密

To create a new key when you connect to the key manager, use the following options to start mongod:要在连接到键管理器时创建新键,请使用以下选项启动mongod

To connect to a version 1.0 or 1.1 KMIP server, use the --kmipUseLegacyProtocol option.要连接到版本1.0或1.1的KMIP服务器,请使用--kmipUseLegacyProtocol选项。

Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ipFor more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅Localhost绑定兼容性更改

The following operation creates a new master key in your key manager. mongod uses the master key to encrypt the keys that mongod generates for each database.以下操作将在键管理器中创建一个新的主键。mongod使用主键来加密mongod为每个数据库生成的键。

mongod --enableEncryption \
       --kmipServerName <KMIP Server HostName> \
       --kmipPort <KMIP server port> \
       --kmipServerCAFile ca.pem \
       --kmipClientCertificateFile client.pem

mongod verifies the connection to the KMIP server on startup.在启动时验证与KMIP服务器的连接。

The server name specified in --kmipServerName must match either the Subject Alternative Name SAN or the Common Name CN on the certificate presented by the KMIP server. SAN can be a system name or an IP address.--kmipServerName中指定的服务器名称必须与KMIP服务器提供的证书上的使用者备用名称SAN或公用名称CN匹配。SAN可以是系统名称或IP地址。

If SAN is present, mongod does not try to match against CN.如果存在SANmongod不会尝试与CN进行匹配。

If the hostname or IP address of the KMIP server does does not match either SAN or CN, mongod does not start.如果KMIP服务器的主机名或IP地址与SANCN不匹配,则mongod不会启动。

To verify that the key creation and usage was successful, check the log file. If successful, the process will log the following messages:要验证键创建和使用是否成功,请检查日志文件。如果成功,该过程将记录以下消息:

[initandlisten] Created KMIP key with id: <UID>
[initandlisten] Encryption key manager initialized using master key with id: <UID>
Tip

See also: 另请参阅:

Encryption Key Management Options加密键管理选项

Encrypt Using an Existing Key使用现有键加密

You can use an existing master key that your KMIP server already manages. To use an existing key, use these options when you start mongod to connect mongod to the key manager:您可以使用KMIP服务器已经管理的现有主键。要使用现有键,请在启动mongodmongod连接到键管理器时使用以下选项:

To connect to a version 1.0 or 1.1 KMIP server, use the --kmipUseLegacyProtocol option.要连接到版本1.0或1.1的KMIP服务器,请使用--kmipUseLegacyProtocol选项。

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. 包括配置所需的其他选项。例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ipFor more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅Localhost绑定兼容性更改

mongod --enableEncryption \
       --kmipServerName <KMIP Server HostName> \
       --kmipPort <KMIP server port> \
       --kmipServerCAFile ca.pem \
       --kmipClientCertificateFile client.pem \
       --kmipKeyIdentifier <UID>

mongod verifies the connection to the KMIP server on startup.在启动时验证与KMIP服务器的连接。

The server name specified in --kmipServerName must match either the Subject Alternative Name SAN or the Common Name CN on the certificate presented by the KMIP server. SAN can be a system name or an IP address.--kmipServerName中指定的服务器名称必须与KMIP服务器提供的证书上的使用者备用名称SAN或公用名称CN匹配。SAN可以是系统名称或IP地址。

If SAN is present, mongod does not try to match against CN.如果存在SANmongod不会尝试与CN进行匹配。

If the hostname or IP address of the KMIP server does does not match either SAN or CN, mongod does not start.如果KMIP服务器的主机名或IP地址与SANCN不匹配,则mongod不会启动。

Tip

See also: 另请参阅:

Encryption Key Management Options加密键管理选项

Local Key Management本地键管理

Important

Using the keyfile method does not meet most regulatory key management guidelines and requires users to securely manage their own keys.使用键文件方法不符合大多数监管键管理指南,需要用户安全地管理自己的键。

The safe management of the keyfile is critical.键文件的安全管理至关重要。

To encrypt using a keyfile, you must have a base64 encoded keyfile that contains a single 16 or 32 character string. 要使用键文件进行加密,必须有一个base64编码的键文件,该文件包含一个16或32个字符的字符串。The keyfile must only be accessible by the owner of the mongod process.键文件必须只能由mongod进程的所有者访问。

  1. Create the base64 encoded keyfile with the 16 or 32 character string. You can generate the encoded keyfile using any method you prefer. For example,使用16或32个字符的字符串创建base64编码的键文件。您可以使用任何您喜欢的方法生成编码的键文件。例如

    openssl rand -base64 32 > mongodb-keyfile
  2. Update the file permissions.更新文件权限。

    chmod 600 mongodb-keyfile
  3. To use the key file, start mongod with the following options:要使用键文件,请使用以下选项启动mongod

    • --enableEncryption,
    • --encryptionKeyFile <path to keyfile>,
    mongod --enableEncryption --encryptionKeyFile  mongodb-keyfile

    Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ipFor more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅Localhost绑定兼容性更改

  4. Verify if the encryption key manager successfully initialized with the keyfile. 验证加密键管理器是否已使用键文件成功初始化。If the operation was successful, the process will log the following message:如果操作成功,进程将记录以下消息:

    [initandlisten] Encryption key manager initialized with key file: <path to keyfile>
Tip

See also: 另请参阅:

Encryption Key Management Options加密键管理选项

Encrypt Existing Data at Rest加密静止的现有数据

MongoDB cannot encrypt existing data. When you enable encryption with a new key, the MongoDB instance cannot have any pre-existing data.MongoDB无法加密现有数据。当您使用新键启用加密时,MongoDB实例不能有任何预先存在的数据。

If you are using a replica set that does have existing data, use a rolling initial sync to encrypt the data.如果使用的复制副本集包含现有数据,请使用滚动初始同步来加密数据。

For example, consider a replica set with three members. The replica set is in use and holds data that you want to encrypt. These are the steps you would take to encrypt the data at rest:例如,考虑一个具有三个成员的复制副本集。复制副本集正在使用中,并保存要加密的数据。以下是在休息时加密数据的步骤:

1

Prepare a server.准备服务器。

Follow these steps to prepare the server:按照以下步骤准备服务器:

  • Pick one of the secondary servers.选择一个辅助服务器。
  • Stop mongod on the secondary server.停止辅助服务器上的mongod
  • Optional: Backup the data in dbPath. 可选:备份dbPath中的数据。If a full backup is not required, consider backing up just the diagnostic.data directory to preserve potentially-useful troubleshooting data in the event of an issue. 如果不需要完整备份,请考虑只备份diagnostic.data目录,以便在出现问题时保留潜在的有用故障排除数据。See Full Time Diagnostic Data Capture for more information.有关更多信息,请参阅全职诊断数据捕获
  • Remove the files and directories in the dbPath.删除dbPath中的文件和目录。
2

Enable encryption.启用加密。

Start the secondary server with encryption enabled. 启用加密的情况下启动辅助服务器。The mongod instance creates a new keystore.mongod实例创建了一个新的键库。

3

Synchronize the data.同步数据。

Import the data from the primary. 从主数据库导入数据。Start the mongod process, specifying Replication Options as appropriate.启动mongod进程,根据需要指定复制选项

mongod performs an initial sync and encrypts the data during the sync up process.执行初始同步并在同步过程中加密数据。

4

Repeat the process on the secondaries.在辅助设备上重复该过程。

When the first secondary has finished importing and encrypting the data, repeat the process on the other secondary mongod instances.当第一个辅助实例完成导入和加密数据后,在其他辅助mongod实例上重复该过程。

5

Encrypt the primary.加密主。

When the all the secondaries have been encrypted, step down the primary. Eligible secondaries will elect a new primary.当所有辅助设备都已加密后,请降级primary。符合条件的secondary将选出新的primary。

The old primary is now a secondary. 旧的小学现在是中学。Repeat the steps to remove the unencrypted data and then run an initial sync.重复这些步骤以删除未加密的数据,然后运行初始同步