Comments on: WiredTiger Encryption at Rest with Percona Server for MongoDB

By: Sandeep

Sandeep — Fri, 11 Sep 2020 16:21:03 +0000

I have setup new mongodb server with encryption enabled by following all the steps mentioned in https://www.percona.com/blog/2020/04/21/using-vault-to-store-the-master-key-for-data-at-rest-encryption-on-percona-server-for-mongodb/. I took dump of non-encrypted data using mongodump and restored on new server with encryption enabled using mongorestore. Now I am not sure how to verify whether restored data is encrypted or not. When I compare the data size it is almost same.

By: Vinodh Krishnaswamy

Vinodh Krishnaswamy — Mon, 13 Jan 2020 07:30:06 +0000

In reply to Preetham. Preetham, I believe both work differently. In PSMDB, the data files are encrypted by database when you enable this option on first startup. In AWS, you enable the storage encryption while you create the instance. See here - https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html

By: Preetham

Preetham — Sat, 11 Jan 2020 15:23:54 +0000

How does this work, when i am migrating the existing encrypted data on the Percona server to AWS document DB? i am quite confused here please explain me

By: milsf

milsf — Tue, 20 Nov 2018 20:22:14 +0000

In reply to Nils. Nils, the idea is that the key file is readable by only the process that runs mongodb (chmod 600). If you are using a non-login account, then only the root user can read the file. Yes, KMIP would be better, but if your root user is compromised, they probably have all the credentials they need to just do in and dump the data anyways.

By: Adam

Adam — Wed, 14 Nov 2018 16:32:32 +0000

I have the same observation as Nils. Love the feature. Wish I had integration with a key provider, and I only mention that as a story for a future release.

By: Nils

Nils — Fri, 02 Nov 2018 08:51:20 +0000

Great feature addition, with one caveat:
Other than being able to check of an item during an audit, what is the value of an encrypted system when you keep the key in plain-text on the hard drive? It’s a pattern I see rather often.. With local key management it’ll probably happen that the key is stored with the data and is available at rest rendering the whole encryption moot.

This is great to measure the impact of encryption, but in production I’d rather have some other way to supply the key (even just obtaining it from a command instead would be enough).