MongoDB Encryption Solutions

Database security is a fundamental factor to consider for any application that involves sensitive data such as personally identifiable, health care, federal government, and financial information. Encryption is a key security mechanism that help protect sensitive data also addresses the compliance obligations.

 
Protecting your data can be accomplished by encrypting at different levels starting from the application level ending by the field holding the data.

Encryption is on the top of the list of MongoDB security checklist. MongoDB offers several methods to encrypt your data, let’s take a look at your options.

Transport Encryption

MongoDB uses (TLS/SSL) transport encryption to encrypt all data in transit between MongoDB and application in both directions.  To use TLS/SSL you must have a valid and working TLS/SSL certificate that include PEMKeyfile and CAFile. You may consider one of the options to enable TLS/SSL on MongoDB deployment either self-signed certificate or third-party authority certificate. You can only use a 128-bit key length or higher to encrypt MongoDB database using TLS/SSL.

TLS/SSL allow you to encrypt all the incoming and outgoing communication as listed below:

• mongod and mongos
• MongoDB Drivers
• Default mongodb tools
• MongoDB Atlas, MongoDB Cloud Manager and MongoDB Ops Manage

 
Also, you can upgrade your cluster to use TLS/SSL by using rolling upgrade process and enable TLS/SSL.

At-Rest Encryption

The Encryption-At-Rest feature is only available starting in MongoDB Enterprise version 3.2 by using the WiredTiger storage engine and it is not supported with MMAPv1. It encrypts the MongoDB database files resides on the disk.

There are two key management options introduced in MongoDB 3.4 and described as below:

1. KMIP Key Manager : Integration with external key management system and KMIP communication procedures.
2. Local Key Management: Using a local keyfile.

You can you enable the Encryption-At-Rest feature for an existing replica set and shared cluster deployment by migrating an existing unencrypted data into a running mongod instance with encryption enabled and using rolling upgrade. For a standalone deployment you can use MongoDB backup and restore tools to backup unencrypted data and restore it into an encrypted deployment.

Client-Side Field Level Encryption (FLE)

This is a new feature MongoDB introduced in MonogDB version 4.2. You can use this method if you would like to encrypt and decrypt sensitive data on the client-side prior to transmitting it to the server. The applications need to have the correct encryption keys to decrypt and read the data. You won’t be able to read the encrypted data if you delete the encryption key. You can create and manage encryption keys using AWS Key Management Service (KMS).

Field Level Encryption implantation does not store encryption keys or encrypt and decrypt processes on the server. On the other hand, it uses MongoDB client library to work as the driver and do all the encryption and decryption processes on the client side. FLE mechanism protect individual fields in a document and revealing it only to the sender and the recipient.

Supported Encryption Methods

• Manual encryption of fields
• Automatic encryption of fields

 
No matter what MongoDB version your organization is running, rest assured that encryption is a top priority feature for MongoDB ensuring your data is secure at all times. If you’re looking for additional support on MongoDB whether it be security or otherwise, please contact us. We’re a Premier Partner and can help you with your solution needs.

Further Reading:

A Faster Future with Newly Released MongoDB 4.2

Feed Your Need for Speed with MongoDB 4.2