Encrypting mongodb data at rest

MongoDB encryption

MongoDB is now the defacto database for a wide variety of applications, some storing sensitive data. When you store sensitive information in your MongoDB database it is important to encrypt the contents of your data disk. This gives you an extra layer of protection if your data disks, snapshots or backups are lost or stolen. In some scenarios encryption at rest is compulsory due to compliance requirements. E.g. If an attacker gets access to your snapshots or backups, all the data is still encrypted and he/she still cannot access your raw application data.

MongoDirector.com makes it extremely simple to encrypt your MongoDB data volumes at rest. In the creation wizard, when creating a new MongoDB cluster select the option to “Encrypt your disk” – thats it! Our software will then take care of all the details of encryption including setting up the volumes for encryption, setting up keys, backup, restore etc.

Encrypt mongodb on disk

Underneath the covers we use block level encryption to ensure that the entire contents of your data disk are encrypted. We feel that is the simpler,cleaner option in the long term. Here are a few other options we considered
1. File system encryption – File system encryption makes sense when you only want to encrypt a few files. In our case we encrypt the entire Mongodb data volume.
2. Application level encryption – This is not an option we would recommend. Getting cryptography right and securing keys at the application level is a non trivial task and is best left to the platform.

Backup & Restore
Once you choose to encrypt your disks, your backups are automatically encrypted as well – no further action is needed on your part. Due to the encryption the backups can now only be recovered on the specific cluster on which they were taken.

Encrypting data in motion
Encrypting your data in motion is essential when your data is traversing unsecured networks like the internet. MongoDirector.com makes it trivial to encrypt your data in motion. This is achieved by selecting the “Enable SSL” option in the creation wizard. This will enable SSL on your mongodb servers. If you would also like to bring your own custom SSL certificate please contact our support team. For more details refer to the post on Setting up SSL.

If you have more questions about the encryption setup please email us at support@mongodirector.com

Dharshan is the founder of ScaleGrid.io (formerly MongoDirector.com). He is an experienced MongoDB developer and administrator. He can be reached for further comment at @dharshanrg