Enabling Vault integration in Percona MongoDB 8.0 Community builds

MongoDB
,
1

Hello Percona Community,

I am trying to integrate HashiCorp Vault with Percona Server for MongoDB (Community Edition) to enable encryption at rest, following the documentation for the enterprise feature. My goal is to use Vault as a Key Management Service.

Here is my current setup:

  • OS: Ubuntu 24.04 LTS

  • MongoDB Version: 8.0.12-4 (Percona Server for MongoDB Community Edition)

  • Vault Version: 1.14.0

  • Vault is running and initialized successfully.

I tried adding the following Vault configuration to mongod.conf:
security:
authorization: enabled
keyFile: /etc/mongodb/keyfile
enableEncryption: true
vault:
serverName: 192.168.8.132
port: 8200
secret: secret/data/dc/*
tokenFile: /etc/mongodb/token
serverCAFile: /etc/mongodb/tls.crt

However, after restarting MongoDB, I get the following error:

Unrecognized option: security.encryptionKeyVault.provider

It seems that the Community Edition does not support Vault integration, which works in the Enterprise Edition. I cannot upgrade to Enterprise at this time.

2

Hi @M_Taha ,

Hope you are doing good!

You can integrate Hashicorp Vault with psmdb for encryption which is not available with Enterprise yet I believe. Refer here:

However, after restarting MongoDB, I get the following error:

Unrecognized option: security.encryptionKeyVault.provider

Seems like some issue with the configuration. Can you check whether you have We will need to check the logs and mongod.conf file to check further. You can share it here for us to check (please make sure to mask any sensitive data).

Regards,

Vinodh Guruji

3

Thank you for the prompt response,
this is my mongod.conf :

storage:
dbPath: /var/lib/mongodb
journal:
enabled: true

systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log

processManagement:
fork: true
pidFilePath: /var/run/mongod.pid


net:
port: 27017
bindIp: 0.0.0.0

security:
authorization: enabled
keyFile: /etc/mongodb/keyfile
enableEncryption: true
vault:
serverName: (my vault server ip)
port: 8200
secret: secret/data/dc/\*
tokenFile: /etc/mongodb/token
serverCAFile: /etc/mongodb/tls.crt

replication:
replSetName: rs0

there are my logs:
root@taha-mongo-test-1:~# sudo cat /var/log/mongodb/mongod.log | tail -n 50
{“t”:{“$date”:“2025-09-23T08:01:56.218+00:00”},“s”:“I”, “c”:“REPL”, “id”:4784907, “ctx”:“initandlisten”,“msg”:“Shutting down the replica set node executor”}
{“t”:{“$date”:“2025-09-23T08:01:56.218+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:4784918, “ctx”:“initandlisten”,“msg”:“Shutting down the ReplicaSetMonitor”}
{“t”:{“$date”:“2025-09-23T08:01:56.218+00:00”},“s”:“I”, “c”:“SHARDING”, “id”:4784921, “ctx”:“initandlisten”,“msg”:“Shutting down the MigrationUtilExecutor”}
{“t”:{“$date”:“2025-09-23T08:01:56.218+00:00”},“s”:“I”, “c”:“ASIO”, “id”:22582, “ctx”:“MigrationUtil-TaskExecutor”,“msg”:“Killing all outstanding egress activity.”}
{“t”:{“$date”:“2025-09-23T08:01:56.219+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:20562, “ctx”:“initandlisten”,“msg”:“Shutdown: Closing open transport sessions”}
{“t”:{“$date”:“2025-09-23T08:01:56.219+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:4784923, “ctx”:“initandlisten”,“msg”:“Shutting down the ASIO transport SessionManager”}
{“t”:{“$date”:“2025-09-23T08:01:56.219+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:4784928, “ctx”:“initandlisten”,“msg”:“Shutting down the TTL monitor”}
{“t”:{“$date”:“2025-09-23T08:01:56.219+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:6278511, “ctx”:“initandlisten”,“msg”:“Shutting down the Change Stream Expired Pre-images Remover”}
{“t”:{“$date”:“2025-09-23T08:01:56.219+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:4784929, “ctx”:“initandlisten”,“msg”:“Acquiring the global lock for shutdown”}
{“t”:{“$date”:“2025-09-23T08:01:56.219+00:00”},“s”:“I”, “c”:“-”, “id”:4784931, “ctx”:“initandlisten”,“msg”:“Dropping the scope cache for shutdown”}
{“t”:{“$date”:“2025-09-23T08:01:56.219+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:20565, “ctx”:“initandlisten”,“msg”:“Now exiting”}{“t”:{“$date”:“2025-09-23T08:01:56.219+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:8423404, “ctx”:“initandlisten”,“msg”:“mongod shutdown complete”,“attr”:{“Summary of time elapsed”:{“Statistics”:{“Enter terminal shutdown”:“0 ms”,“Step down the replication coordinator for shutdown”:“1 ms”,“Time spent in quiesce mode”:“0 ms”,“Shut down FLE Crud subsystem”:“0 ms”,“Shut down MirrorMaestro”:“0 ms”,“Shut down WaitForMajorityService”:“0 ms”,“Shut down the Query Analysis Sampler”:“0 ms”,“Shut down the global connection pool”:“0 ms”,“Shut down the flow control ticket holder”:“0 ms”,“Shut down the replica set node executor”:“0 ms”,“Shut down the replica set monitor”:“0 ms”,“Shut down the migration util executor”:“0 ms”,“Shut down the transport layer”:“1 ms”,“Shut down the TTL monitor”:“0 ms”,“Shut down expired pre-images and documents removers”:“0 ms”,“Wait for the oplog cap maintainer thread to stop”:“0 ms”,“Shut down full-time data capture”:“0 ms”,“Shut down online certificate status protocol manager”:“0 ms”,“shutdownTask total elapsed time”:“2 ms”}}}}
{“t”:{“$date”:“2025-09-23T08:01:56.219+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:23138, “ctx”:“initandlisten”,“msg”:“Shutting down”,“attr”:{“exitCode”:1001}}

{“t”:{“$date”:“2025-09-23T08:39:11.222+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:20698, “ctx”:“main”,“msg”:“***** SERVER RESTARTED *****”}
{“t”:{“$date”:“2025-09-23T08:39:11.222+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:23285, “ctx”:“main”,“msg”:“Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols ‘none’”}
{“t”:{“$date”:“2025-09-23T08:39:11.226+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:5945603, “ctx”:“main”,“msg”:“Multi threading initialized”}
{“t”:{“$date”:“2025-09-23T08:39:11.226+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:4648601, “ctx”:“main”,“msg”:“Implicit TCP FastOpen unavailable. If TCP FastOpen is required, set at least one of the related parameters”,“attr”:{“relatedParameters”:[“tcpFastOpenServer”,“tcpFastOpenClient”,“tcpFastOpenQueueSize”]}}
{“t”:{“$date”:“2025-09-23T08:39:11.251+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:4915701, “ctx”:“main”,“msg”:“Initialized wire specification”,“attr”:{“spec”:{“incomingExternalClient”:{“minWireVersion”:0,“maxWireVersion”:25},“incomingInternalClient”:{“minWireVersion”:0,“maxWireVersion”:25},“outgoing”:{“minWireVersion”:6,“maxWireVersion”:25},“isInternalClient”:true}}}
{“t”:{“$date”:“2025-09-23T08:39:11.252+00:00”},“s”:“I”, “c”:“TENANT_M”, “id”:7091600, “ctx”:“main”,“msg”:“Starting TenantMigrationAccessBlockerRegistry”}
{“t”:{“$date”:“2025-09-23T08:39:11.253+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:4615611, “ctx”:“initandlisten”,“msg”:“MongoDB starting”,“attr”:{“pid”:43181,“port”:27017,“dbPath”:“/var/lib/mongodb”,“architecture”:“64-bit”,“host”:“taha-mongo-test-1”}}
{“t”:{“$date”:“2025-09-23T08:39:11.253+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:23403, “ctx”:“initandlisten”,“msg”:“Build Info”,“attr”:{“buildInfo”:{“version”:“8.0.12-4”,“gitVersion”:“d635038667c5f80ce2d641ab24a3c56810c8bbb3”,“openSSLVersion”:“OpenSSL 3.0.13 30 Jan 2024”,“modules”:,“proFeatures”:,“allocator”:“tcmalloc-google”,“environment”:{“distarch”:“x86_64”,“target_arch”:“x86_64”}}}}
{“t”:{“$date”:“2025-09-23T08:39:11.253+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:51765, “ctx”:“initandlisten”,“msg”:“Operating System”,“attr”:{“os”:{“name”:“Ubuntu”,“version”:“24.04”}}}
{“t”:{“$date”:“2025-09-23T08:39:11.253+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:21951, “ctx”:“initandlisten”,“msg”:“Options set by command line”,“attr”:{“options”:{“config”:“/etc/mongod.conf”,“net”:{“bindIp”:“0.0.0.0”,“port”:27017},“processManagement”:{“fork”:true,“pidFilePath”:“/var/run/mongod.pid”},“replication”:{“replSetName”:“rs0”},“security”:{“authorization”:“enabled”,“enableEncryption”:true,“keyFile”:“/etc/mongodb/keyfile”,“vault”:{“port”:8200,“secret”:“secret/data/dc/*”,“serverCAFile”:“/etc/mongodb/tls.crt”,“serverName”:“192.168.8.132”,“tokenFile”:“/etc/mongodb/token”}},“storage”:{“dbPath”:“/var/lib/mongodb”,“journal”:{“enabled”:true}},“systemLog”:{“destination”:“file”,“logAppend”:true,“path”:“/var/log/mongodb/mongod.log”}}}}
{“t”:{“$date”:“2025-09-23T08:39:11.253+00:00”},“s”:“I”, “c”:“STORAGE”, “id”:22270, “ctx”:“initandlisten”,“msg”:“Storage engine to use detected by data files”,“attr”:{“dbpath”:“/var/lib/mongodb”,“storageEngine”:“wiredTiger”}}
{“t”:{“$date”:“2025-09-23T08:39:11.253+00:00”},“s”:“I”, “c”:“STORAGE”, “id”:22297, “ctx”:“initandlisten”,“msg”:“Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem",“tags”:["startupWarnings”]}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“F”, “c”:“STORAGE”, “id”:29120, “ctx”:“initandlisten”,“msg”:“Data-at-Rest Encryption Error”,“attr”:{“error”:{“what”:“Can’t create encryption key database”,“reason”:{“what”:“key saving failed”,“reason”:“saving the master key to the Vault server failed: cannot read stats of the Vault token file: /etc/mongodb/token: No such file or directory”},“encryptionKeyDatabaseDirectory”:“/var/lib/mongodb/key.db”}}}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“REPL”, “id”:4784900, “ctx”:“initandlisten”,“msg”:“Stepping down the ReplicationCoordinator for shutdown”,“attr”:{“waitTimeMillis”:15000}}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“REPL”, “id”:4794602, “ctx”:“initandlisten”,“msg”:“Attempting to enter quiesce mode”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“-”, “id”:6371601, “ctx”:“initandlisten”,“msg”:“Shutting down the FLE Crud thread pool”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“COMMAND”, “id”:4784901, “ctx”:“initandlisten”,“msg”:“Shutting down the MirrorMaestro”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“SHARDING”, “id”:4784902, “ctx”:“initandlisten”,“msg”:“Shutting down the WaitForMajorityService”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“-”, “id”:7350601, “ctx”:“initandlisten”,“msg”:“Shutting down the QueryAnalysisSampler”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:8314100, “ctx”:“initandlisten”,“msg”:“Shutdown: Closing listener sockets”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:4784905, “ctx”:“initandlisten”,“msg”:“Shutting down the global connection pool”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:4784906, “ctx”:“initandlisten”,“msg”:“Shutting down the FlowControlTicketholder”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“-”, “id”:20520, “ctx”:“initandlisten”,“msg”:“Stopping further Flow Control ticket acquisitions.”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“REPL”, “id”:4784907, “ctx”:“initandlisten”,“msg”:“Shutting down the replica set node executor”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:4784918, “ctx”:“initandlisten”,“msg”:“Shutting down the ReplicaSetMonitor”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“SHARDING”, “id”:4784921, “ctx”:“initandlisten”,“msg”:“Shutting down the MigrationUtilExecutor”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“ASIO”, “id”:22582, “ctx”:“MigrationUtil-TaskExecutor”,“msg”:“Killing all outstanding egress activity.”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:20562, “ctx”:“initandlisten”,“msg”:“Shutdown: Closing open transport sessions”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:4784923, “ctx”:“initandlisten”,“msg”:“Shutting down the ASIO transport SessionManager”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:4784928, “ctx”:“initandlisten”,“msg”:“Shutting down the TTL monitor”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:6278511, “ctx”:“initandlisten”,“msg”:“Shutting down the Change Stream Expired Pre-images Remover”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:4784929, “ctx”:“initandlisten”,“msg”:“Acquiring the global lock for shutdown”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“-”, “id”:4784931, “ctx”:“initandlisten”,“msg”:“Dropping the scope cache for shutdown”}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:20565, “ctx”:“initandlisten”,“msg”:“Now exiting”}{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:8423404, “ctx”:“initandlisten”,“msg”:“mongod shutdown complete”,“attr”:{“Summary of time elapsed”:{“Statistics”:{“Enter terminal shutdown”:“0 ms”,“Step down the replication coordinator for shutdown”:“0 ms”,“Time spent in quiesce mode”:“0 ms”,“Shut down FLE Crud subsystem”:“0 ms”,“Shut down MirrorMaestro”:“0 ms”,“Shut down WaitForMajorityService”:“0 ms”,“Shut down the Query Analysis Sampler”:“0 ms”,“Shut down the global connection pool”:“0 ms”,“Shut down the flow control ticket holder”:“0 ms”,“Shut down the replica set node executor”:“0 ms”,“Shut down the replica set monitor”:“0 ms”,“Shut down the migration util executor”:“0 ms”,“Shut down the transport layer”:“0 ms”,“Shut down the TTL monitor”:“0 ms”,“Shut down expired pre-images and documents removers”:“0 ms”,“Wait for the oplog cap maintainer thread to stop”:“0 ms”,“Shut down full-time data capture”:“0 ms”,“Shut down online certificate status protocol manager”:“0 ms”,“shutdownTask total elapsed time”:“0 ms”}}}}
{“t”:{“$date”:“2025-09-23T08:39:11.254+00:00”},“s”:“I”, “c”:“CONTROL”, “id”:23138, “ctx”:“initandlisten”,“msg”:“Shutting down”,“attr”:{“exitCode”:1001}}

4

Hi @M_Taha ,

It seems the server has issues in saving the master key to the Vault. Can you check whether the tokenFile /etc/mongodb/token is accessible for mongod process to read? Also, check the connectivity between the server and the Vault server.

Regards,

Vinodh Guruji