forked from mongodb/docs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurity-encryption-at-rest.txt
140 lines (96 loc) · 4.37 KB
/
security-encryption-at-rest.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
==================
Encryption at Rest
==================
.. default-domain:: mongodb
.. contents:: On this page
:local:
:backlinks: none
:depth: 1
:class: singlecol
Encryption at rest, when used in conjunction with transport encryption
and good security policies that protect relevant accounts, passwords,
and encryption keys, can help ensure compliance with security and
privacy standards, including HIPAA, PCI-DSS, and FERPA.
.. _encrypted-storage-engine:
Encrypted Storage Engine
------------------------
.. versionadded:: 3.2
.. include:: /includes/fact-enterprise-only-admonition.rst
.. important:: Available for the WiredTiger Storage Engine only.
MongoDB Enterprise 3.2 introduces a native encryption option for the
WiredTiger storage engine. This feature allows MongoDB to encrypt data
files such that only parties with the decryption key can decode and
read the data.
Encryption Process
~~~~~~~~~~~~~~~~~~
If encryption is enabled, the default encryption mode that MongoDB
Enterprise uses is the ``AES256-CBC`` (or 256-bit Advanced Encryption
Standard in Cipher Block Chaining mode) via OpenSSL. AES-256 uses a
symmetric key; i.e. the same key to encrypt and decrypt text. MongoDB
Enterprise also supports authenticated encryption ``AES256-GCM`` (or
256-bit Advanced Encryption Standard in Galois/Counter Mode). FIPS mode
encryption is also available.
The data encryption includes:
- Generating a master key.
- Generating keys for each database.
- Encrypting data with the database keys.
- Encrypting the database keys with the master key.
The encryption occur transparently in the storage layer; i.e. all data
files are fully encrypted from a filesystem perspective, and data only
exists in an unencrypted state in memory and during transmission.
To encrypt all of MongoDB's network traffic, you can use TLS/SSL
(Transport Layer Security/Secure Sockets Layer). See
:doc:`/tutorial/configure-ssl` and
:doc:`/tutorial/configure-ssl-clients`.
Key Management
~~~~~~~~~~~~~~
.. important:: Secure management of the encryption keys is critical.
The database keys are internal to the server and are only paged to disk
in an encrypted format. MongoDB never pages the master key to disk
under any circumstances.
Only the master key is external to the server (i.e. kept separate from
the data and the database keys), and requires external management. To
manage the master key, MongoDB's encrypted storage engine supports two
key management options:
- Integration with a third party key management appliance via the Key
Management Interoperability Protocol (KMIP). **Recommended**
- Local key management via a keyfile.
To configure MongoDB for encryption and use one of the two key
management options, see
:doc:`/tutorial/configure-encryption`.
Encryption and Replication
~~~~~~~~~~~~~~~~~~~~~~~~~~
Encryption is not a part of replication:
- Master keys and database keys are not replicated, and
- Data is not natively encrypted over the wire.
Although you could reuse the same key for the nodes, MongoDB recommends
the use of individual keys for each node as well as the use of
transport encryption.
For details, see :ref:`rotate-encryption-keys`.
Logging
~~~~~~~
.. versionadded:: 3.4 Available in MongoDB Enterprise only
The log file is not encrypted as a part of MongoDB's encrypted storage engine.
A :program:`mongod` running with :ref:`logging <monitoring-standard-loggging>`
may output potentially sensitive information to log files as a part of normal
operations, depending on the configured :ref:`log verbosity
<log-messages-configure-verbosity>`.
MongoDB 3.4 Enterprise provides the :setting:`security.redactClientLogData`
setting to prevent potentially sensitive information from entering the
:program:`mongod` process log. :setting:`~security.redactClientLogData`
reduces detail in the log and may complicate log diagnostics.
See the :ref:`log redaction <monitoring-log-redaction>` manual entry for
more information.
.. _app-level-encryption:
Application Level Encryption
----------------------------
Application Level Encryption provides encryption on a per-field or
per-document basis within the application layer. To encrypt document or
field level data, write custom encryption and decryption routines or
use a commercial solution.
.. include:: /includes/partners-security.rst
.. class:: hidden
.. toctree::
:titlesonly:
/tutorial/configure-encryption
/tutorial/rotate-encryption-key