Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Error when enabling data encryption using local key MONGODB

I have successfully encrypted the communication in mongoDB but when I try to enable the data encryption I'm getting errors. I am using the enterprise edition of mongoDB with version 3.2.4. I get the following message in the console:

ERROR: child process failed, exited with error number 14

But when I look at the logs I see detailed error as follows:

Unable to retrieve key .system, error: there are existing data files, but no valid keystore could be located.
Fatal Assertion 28561

following is the snippet of my config file:

# enable authentication
security:
  authorization: enabled
  enableEncryption: true
  encryptionKeyFile: /home/test/mongodb-keyfile

It works fine without the enableEncryption, and encryptionKeyFile parameters. Could anyone explain what i'm missing here? thanks!

like image 727
Gurkha Avatar asked Apr 06 '16 15:04

Gurkha


People also ask

Which encryption techniques are supported by MongoDB?

MongoDB supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of MongoDB's network traffic. TLS/SSL ensures that MongoDB network traffic is only readable by the intended client.

Can we encrypt data in MongoDB?

MongoDB Enterprise 3.2 introduces a native encryption option for the WiredTiger storage engine. This feature allows MongoDB to encrypt data files such that only parties with the decryption key can decode and read the data.

Does MongoDB support encryption at rest?

MongoDB Atlas has built-in encryption at rest for disks by default with every node in your cluster. However, you can enable Encryption At Rest from the WiredTiger storage engine as well.

How do I encrypt a field in MongoDB?

Enforce Field Level Encryption Schema Starting with MongoDB 4.2, the server supports using schema validation to enforce encryption of specific fields in a collection. Use the automatic encryption rule keywords with the $jsonSchema validation object to indicate which fields require encryption.


1 Answers

MongoDB's encrypted storage engine supports two key management options:

  • Key Manager : Integration with third party key management appliance via the Key Management Interoperability Protocol (KMIP).
  • Local Key: Use of local key management via a keyfile.

Worth mentioning that using a key manager meets regulatory key management guidelines and is recommended over the local key management.

If you are using Key Manager option, please see KMIP Master Key Rotation.

Since you are using the Local Key option, if you have a Replica Set deployment you could rotate the replica set member. This would re-sync data from the un-encrypted to the encrypted mongod.

Alternatively if you only have a standalone mongod, you could:

  1. Back Up your database files.
  2. Stop mongod process.
  3. Delete or move existing database files in dbpath. Exercise extra caution! - If you are deleting, make sure you have a backup data.
  4. Restart mongod with --enableEncryption and --encryptionKeyFile.
  5. Restore backup files to the restarted and encrypted mongod.

As an example, you could use mongodump to dump the data, and use mongorestore to restore the dump files.

Lastly, note that MongoDB Enterprise edition is a commercially supported product. I'd suggest opening a support case if you have a Commercial Support subscription.

like image 181
Wan Bachtiar Avatar answered Oct 15 '22 04:10

Wan Bachtiar