Open Source Transparent Database Encryption for MongoDB

本课程介绍MongoDB现有的静态加密功能,重点介绍开放源代码包中免费提供的功能。您将学习如何设置它,如何旋转主密钥,以及如何实现完全加密旋转。您还将了解MongoDB加密的开源替代方案的未来方向。

展开查看详情

1. Open Source Transparent Database Encryption for MongoDB Peter Schwaller – Senior Director Server Engineering, Percona

2.Agenda • Why encrypt? • What gets encrypted? • What is supported where? • How does it all work? • Future of open source solutions 2

3.Why Encrypt? • Can help ensure compliance with security and privacy standards, including PCI-DSS, HIPAA, and FERPA. • Ensures that exposure of DB files doesn’t lead to exposure of the stored data. 3

4.What is Supported Where? Feature MongoDB Community MongoDB Enterprise Percona Server for MongoDB Wired Tiger encryption No Yes Yes Local Key File No Yes Yes KMIP key management No Yes No Vault key management No No Planned MongoRocks encryption N/A N/A No mmapv1 encryption No No No redactClientLogData No Yes Yes 4

5.What Gets Encrypted? • Wired Tiger storage engine data • Collections, indexes, journal, Wired Tiger log files, etc • MongoDB log files are not encrypted • Use security.redactClientLogData to help obscure log file data 5

6.Getting Started (Local Keyfile Example) 1. Start with an empty datadir 2. Create a keyfile • openssl rand -base64 32 > mongodb-keyfile 3. Update permissions • chmod 600 mongodb-keyfile 4. Update mongod start parameters • --enableEncryption • --encryptionKeyFile <path to keyfile> 6

7.Under the Hood • Each database is encrypted with an internally generated encryption key • Master Key or Keyfile is used to encrypt the internal keystore • Encryption performed at the page level which improves performance • If using a key manager, you can use –kmipRotateMasterKey to reencrypt the internal keystore • This does NOT change the database/collection data on disk • --encryptionCipherMode [AES256-CBC, AES256-GCM] 7

8.Rotate Encryption of Data • Cannot change internal database encryption key once data exists • Must start a fresh replica set member and sync from scratch 8

9.What’s Next in Percona Server for MongoDB? • Vault key management • Enables solutions compliant with standards • Align with Vault keyring support in Percona Server for MySQL • Master key rotation • Depending upon user interest, AWS KMS integration 9

10.Rate My Session 10

11.Thank You Sponsors!! 11