MongoDB is now the defacto database for a wide variety of applications, some of which, storing very sensitive data. When you store sensitive information in your MongoDB database, it’s important to encrypt the contents of your data disk. This gives you an extra layer of protection if your data disks, snapshots, or backups are lost or stolen. In some scenarios, encryption-at-rest is compulsory due to compliance requirements. For example, if an attacker gets access to your snapshots or backups, all the data is still encrypted and they still cannot access your raw application data.
At ScaleGrid, we make it extremely easy to encrypt your MongoDB data volumes at rest. In the creation wizard, when creating a new MongoDB cluster, select the option to “Encrypt your disk” – and thats it! Our software will then take care of all the details of encryption, including setting up the volumes for encryption, setting up keys, backup, restore, etc.
Behind the scenes, we use block-level encryption to ensure the entire contents of your data disk are encrypted. We feel that’s the simple, cleanest option in the long term. Here are a few other options we considered:
File system encryption
File system encryption makes sense when you only want to encrypt a few files. In our case, we encrypt the entire MongoDB data volume.
This is not an option we would recommend. Getting cryptography right and securing keys at the application level is a non-trivial task, and is best left to the platform.
Backup & Restore
Once you’ve choose to encrypt your disks, your backups are automatically encrypted as well – no further action is needed on your part. Due to the encryption, the backups can now only be recovered on the specific cluster on which they were taken.
Encrypting your data in motion is essential when your data is traversing unsecured networks like the internet. ScaleGrid makes encrypting your data in motion a simple, trivial task. This is achieved by selecting the “Enable SSL” option in the creation wizard, enabling SSL on your MongoDB servers. If you’d also like to bring your own custom SSL certificate, please contact our support team. For more details, refer to the post on Setting up SSL.
If you have more questions about the encryption setup, please email us at firstname.lastname@example.org.