I have implemented encryption using Using Vault to Store the Master Key for Data at Rest Encryption on Percona Server for MongoDB - Percona Database Performance Blog
How to verify whether data is actually encrypted or not. Data size of encrypted/un-encrypted database is exactly same.
1 Like
Hi.
The data size will be roughly the same.
If it’s just that you need to see that the configuration is in effect check the output of the https://docs.mongodb.com/manual/reference/method/db.serverCmdLineOpts/ mongo shell command. If the data-at-rest settings are present (security.enableEncryption: true being the main one) it must be in effect - the mongod would have aborted on startup if it couldn’t follow those settings.
And if you look in the https://docs.mongodb.com/manual/reference/method/db.collection.stats/index.html for any collection then in the “wiredTiger.creationString” field I believe you will see one of the WiredTiger table options is something about encryption (“encryption=(keyid=identifier)”)
If you don’t want to take it on faith that the configuration information is true, then there’s a strong practical test you can do. Comment out the the security.* settings for encryption in the mongod.conf file and restart to observe that it cannot recover the data without the encryption keys. Disclaimer: I don’t know if this will cause damage or not. I am suggesting it now only because it sounds like you’re trying in a dev environment for the first time.
Akira
2 Likes
Thank you for the reply.
Any idea how to setup replication with encryption enabled. Right now I only have single instance running.
1 Like
For replication - there are no changes in the replication config required at all. Each node is own thing in this regard, passing the data unencrypted to each other in the replicaset, and to clients.
To make sure the data can’t be read as it is transferred over the network you must enable mongodb’s network encryption, which is a different part of mongodb (https://docs.mongodb.com/manual/core/security-transport-encryption/). It is supported in MongoDB community, it is not just for MongoDB Inc’s and Percona’s matching enterprise like the data-at-rest encryption.
1 Like
just chiming in to say thanks and maybe add to those who run in Docker.
I used what you described (db.serverCmdLineOpts(), db.collection.stats()) to verify that mongo was instructed to encrypt the DB.
I run it in a docker container, so to do the practical test, I generated a new key file (originally ran the container with --encryptionKeyFile [FILE]), and replaced the old file with it.
mongo refused to start, citing:
__wt_btree_tree_open, 639: unable to read root page from file:WiredTiger.wt: WT_PANIC: WiredTiger library panic
file:WiredTiger.wt, connection: [WT_VERB_DEFAULT][ERROR]: __wt_btree_tree_open, 645: WiredTiger has failed to open its metadata: WT_PANIC: WiredTiger library panic
file:WiredTiger.wt, connection: [WT_VERB_DEFAULT][ERROR]: __wt_btree_tree_open, 646: This may be due to the database files being encrypted, being from an older version or due to corruption on disk: WT_PANIC: WiredTiger library panic
file:WiredTiger.wt, connection: [WT_VERB_DEFAULT][ERROR]: __wt_btree_tree_open, 649: You should confirm that you have opened the database with the correct options including all encryption and compression options: WT_PANIC: WiredTiger library panic
so it’s doing what it’s suppose to.
1 Like