I have successfully encrypted the communication in mongoDB but when I try to enable the data encryption I'm getting errors. I am using the enterprise edition of mongoDB with version 3.2.4. I get the following message in the console:
ERROR: child process failed, exited with error number 14
But when I look at the logs I see detailed error as follows:
Unable to retrieve key .system, error: there are existing data files, but no valid keystore could be located.
Fatal Assertion 28561
following is the snippet of my config file:
# enable authentication
security:
authorization: enabled
enableEncryption: true
encryptionKeyFile: /home/test/mongodb-keyfile
It works fine without the enableEncryption
, and encryptionKeyFile
parameters. Could anyone explain what i'm missing here? thanks!
MongoDB supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of MongoDB's network traffic. TLS/SSL ensures that MongoDB network traffic is only readable by the intended client.
MongoDB Enterprise 3.2 introduces a native encryption option for the WiredTiger storage engine. This feature allows MongoDB to encrypt data files such that only parties with the decryption key can decode and read the data.
MongoDB Atlas has built-in encryption at rest for disks by default with every node in your cluster. However, you can enable Encryption At Rest from the WiredTiger storage engine as well.
Enforce Field Level Encryption Schema Starting with MongoDB 4.2, the server supports using schema validation to enforce encryption of specific fields in a collection. Use the automatic encryption rule keywords with the $jsonSchema validation object to indicate which fields require encryption.
MongoDB's encrypted storage engine supports two key management options:
Worth mentioning that using a key manager meets regulatory key management guidelines and is recommended over the local key management.
If you are using Key Manager option, please see KMIP Master Key Rotation.
Since you are using the Local Key option, if you have a Replica Set deployment you could rotate the replica set member. This would re-sync data from the un-encrypted to the encrypted mongod
.
Alternatively if you only have a standalone mongod
, you could:
mongod
process.dbpath
. Exercise extra caution! - If you are deleting, make sure you have a backup data. mongod
with --enableEncryption and --encryptionKeyFile. mongod
.As an example, you could use mongodump to dump the data, and use mongorestore to restore the dump files.
Lastly, note that MongoDB Enterprise edition is a commercially supported product. I'd suggest opening a support case if you have a Commercial Support subscription.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With