Configuring Encryption at Rest - Mongo DB

Overview

This article provides the steps to take to configure encryption at rest for Mongo DB.

Procedure

1. Edit /etc/mongod.conf Add the following

security:
  enableEncryption: true
  encryptionKeyFile: /mongo/keys/mongod.key

2. Create the /mongo/keys directory and change its owner

mkdir /mongo/keys
chown mongod:mongod /mongo/keys/

3. Generate an encryption key

openssl rand -base64 32 > /mongo/keys/mongod.key

4. Adjust security on the encryption key

chmod 600 /mongo/keys/mongod.key
chown mongod:mongod /mongo/keys/mongod.key

5. If it's running, stop the Mongo DB service

service mongod status
service mongod stop

6. Delete or re-key the data If you're starting with a fresh Mongo DB install delete the data files.

DANGER: THIS COMMAND WILL FORCIBLY DELETE ALL FILES IN THE INDICATED FOLDER WITHOUT CONFIRMATION!

cd /mongo/data
rm -fr /mongo/data/*

If you're enabling/changing encryption for an existing Mongo DB instance, re-key the data.

TODO

7. Start the Mongo DB service

service mongod status
service mongod stop
service mongod start

8. Troubleshoot the Mongo DB service

If the Mongo DB service fails to start, troubleshoot it by viewing the log file

view /mongo/log/mongod.log