Verify Encryption

I have implemented encryption using https://www.percona.com/blog/2020/04/21/using-vault-to-store-the-master-key-for-data-at-rest-encryption-on-percona-server-for-mongodb/.

How to verify whether data is actually encrypted or not. Data size of encrypted/un-encrypted database is exactly same.

Hi.
The data size will be roughly the same.

If it’s just that you need to see that the configuration is in effect check the output of the https://docs.mongodb.com/manual/reference/method/db.serverCmdLineOpts/ mongo shell command. If the data-at-rest settings are present (security.enableEncryption: true being the main one) it must be in effect - the mongod would have aborted on startup if it couldn’t follow those settings.

And if you look in the https://docs.mongodb.com/manual/reference/method/db.collection.stats/index.html for any collection then in the “wiredTiger.creationString” field I believe you will see one of the WiredTiger table options is something about encryption (“encryption=(keyid=identifier)”)

If you don’t want to take it on faith that the configuration information is true, then there’s a strong practical test you can do. Comment out the the security.* settings for encryption in the mongod.conf file and restart to observe that it cannot recover the data without the encryption keys. Disclaimer: I don’t know if this will cause damage or not. I am suggesting it now only because it sounds like you’re trying in a dev environment for the first time.

Akira

Thank you for the reply. 
Any idea how to setup replication with encryption enabled. Right now I only have single instance running.

For replication - there are no changes in the replication config required at all. Each node is own thing in this regard, passing the data unencrypted to each other in the replicaset, and to clients.

To make sure the data can’t be read as it is transferred over the network you must enable mongodb’s network encryption, which is a different part of mongodb (https://docs.mongodb.com/manual/core/security-transport-encryption/). It is supported in MongoDB community, it is not just for MongoDB Inc’s and Percona’s matching enterprise like the data-at-rest encryption.