Data that is created, exchanged and stored in an organization is one of its most valuable assets. Securing that data from compromise and unauthorised access, especially when it comes to personally identifiable information (PII), financial, health or government information, should be at the very top of your priorities.

Authentication and Authorization is not enough to fully secure your data, which needs to be encrypted over the wire or on disk. MongoDB encryption offers robust features, some coming out-of-the-box on MongoDB Atlas Data-as-a-Service platform, which we will cover in this article.

Encryption is the process that transforms plaintext data into an output known as ciphertext. This allows only authorized parties possessing valid decryption keys to read the data. (With MongoDB Atlas, a client is also required to pass authentication and authorization beforehand.)

MongoDB Atlas offers a built-in client to server TLS encryption as a requirement. Data gets encrypted over the wire from the client to the Atlas cluster and back. Moreover, all disks are encrypted by default with an option to enable the WiredTiger encryption at rest using AWS KMS, Azure Vault or Google KMS.

Table of Contents:

How to Encrypt Data in MongoDB

MongoDB Servers and MongoDB drivers/clients allow the following methods to encrypt data:

  1. Encryption in Transit
  2. Encryption At Rest using MongoDB Atlas or MongoDB Enterprise
  3. Encryption in Use: Client-Side Field Level Encryption with MongoDB Drivers, Shell.

We’ll take a closer look at each approach. Although there are similarities between Atlas and self hosted MongoDB, this article will first explain MongoDB Atlas encryption mechanisms.

MongoDB Atlas

Encryption in Transit/Transport (TLS)

MongoDB Atlas uses encryption in transit from application client to server and within intra-cluster communications by setting a set of certificates for the servers. MongoDB Atlas uses Let’s Encrypt known certificates to authenticate TLS enabled clients once they pass access and authentication controls.

Encryption at Rest

MongoDB encryption at rest is an Enterprise feature and requires the Enterprise binaries, those are run by MongoDB Atlas. In a nutshell, encryption at rest is a protection layer to guarantee that the written files or storage is only visible once decrypted by an authorized process/application.

MongoDB Atlas has built-in encryption at rest for disks by default with every node in your cluster. However, you can enable Encryption At Rest from the WiredTiger storage engine as well. It can work with a cloud provider of your choice for your project:

Client-Side Field Level Encryption

Starting with MongoDB version 4.2 , a feature called MongoDB Client-Side Field Level Encryption was introduced. This new framework allows MongoDB Clients, such as drivers and shell, to encrypt and decrypt fields locally with secured keys maintained in a secure repository (KMS). This adds another layer of security which never exposes sensitive information over the wire or to database clients which do not possess the needed key to decrypt the data.

Any Atlas cluster with version 4.2 and above can take advantage of this feature.

Field Level Encryption can be either automatic or manual and the options to store our keys is by using one or more of the following providers:

To showcase this feature lets use a simple example utilizing the new mongosh shell.

Mongosh Example

Configure an Atlas free tier cluster, download and install the new mongosh.

Start the shell with no database connection to use the Field Level Encryption options later on

mongosh --nodb

Generate a master key.

var MY_LOCAL_KEY = crypto.randomBytes(96).toString('base64') ## This can provide it via a an env variable as well, eg. ${process.env.MY_KEY}

Define the local key store namespace with local provider and the master key (parameter MYLOCALKEY)

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0, MY_LOCAL_KEY)
    }
  }
}

Replace your Atlas connection string into the following connection, password is stored as an environment variable.

csfleDatabaseConnection = Mongo(
`mongodb+srv://<user>:${process.env.dbpass}@<atlas-cluster>.mongodb.net/test`,
  ClientSideFieldLevelEncryptionOptions
)

Create a database encryption key

keyVault = csfleDatabaseConnection.getKeyVault();
var KEY_ID = keyVault.createKey(
  "local",
  [ "MyKey" ]
)

Write and Read a document into hr.employees collection with field taxid being encrypted

clientEncryption = csfleDatabaseConnection.getClientEncryption()

csfleDatabaseConnection.getDB("hr").getCollection("employees").insertOne({
  "name" : "J. Doe",
  "taxid" : clientEncryption.encrypt(
      KEY_ID,
      "123-45-6789",
      "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
   )
})

csfleDatabaseConnection.getDB("hr").getCollection("employees").findOne({
  "taxid" : clientEncryption.encrypt(
     KEY_ID,
     "123-45-6789",
     "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
   )
})

Since our connection is automatically decrypting the values we would see them in clear text, however, connecting without the encryption keys from compass shows the field values as asterisks (encrypted).

alt_text

Rotating Encryption Keys

One of the best practices for managing encryption keys is a key rotation on a regular basis. This consideration is important for database administrators because there is a slight chance that our keys will be compromised at some point. Therefore rotating them will allow us to avoid risking a leaked key compromising our data.

For MongoDB Atlas encryption at rest and for Client Side Field Level encryption have built in guides to rotate the required keys depending on the specific provider you are using:

Self-Hosted MongoDB Enterprise

Encryption in Transit/Transport (TLS)

MongoDB Server has mechanisms to enable TLS for client to server and intra-deployment communication. With self-hosted MongoDB servers you will need to issue the relevant certificates and specify them as configuration for the server. See the following documentation.

mongod --sslMode requireSSL --sslPEMKeyFile /path/to/validateServerCertificates.pem

A client connection will looks something like the following command:

mongo --ssl --host hostname.example.com --sslCAFile /path/to/caToValidateServerCertificates.pem

Using Ops Manager or Cloud Manager as well as the Kubernetes Operator would be the ideal way to manage the SSL configuration for your self-hosted clusters. Of course, a much more convenient way is to securely migrate your self-hosted deployments to MongoDB Atlas.

Encryption at Rest

The WiredTiger storage engine allows the server data files (collections and indexes) to be encrypted as they are being written to disk. This secure your server from several risks:

  1. If someone gets a hold of your data files or backup, they will not be able to open them, with another mongod binary, to access the data as they don’t have the secured certificate key that encrypted the data.
  2. No other software installed on the server can open the files or intercept the data at the Operating System level. Unlike with direct disk encryption where the OS can read the encrypted database.

In a nutshell, the MongoDB Server and only it has authority to an AES-256 master key, which is recommended to be securely stored in a KMIP Server/s (Key Management Interoperability).

If you are running a self-hosted environment, you can view more on the following documentation for this topic.

Example of a simple single instance with self hosted encryption key:

mongod --enableEncryption --encryptionKeyFile  mongodb-keyfile

The encryption at rest feature is also used to encrypt the Ops Manager backups for self-hosted deployments managed by Ops Manager.

Rotating Encryption Keys

Encryption at rest for self-hosted deployments has several guides depending on your deployment strategy.

Summary

MongoDB is a general purpose enterprise grade database that provides several layers of world class standard encryption to cover your specific needs to secure your data.

MongoDB Atlas makes operating and deploying those data security features even easier as they come built-in with out-of-the-box opt for your clusters in minutes or less.

FAQs

Is MongoDB Atlas secure?

Yes. MongoDB Atlas offers many Enterprise grade security features to comply with industry's highest compliance requirement and security standards. Read more on our Trust Center.

Can I encrypt data in MongoDB?

Yes. There are few layers that MongoDB can encrypt data, for example:

  • Transit/Transport layer
  • Encrypt database files and backups using WiredTiger Encryption At Rest
  • Client Side Field Level encryption to encrypt specific data/fields.

How do I encrypt data in MongoDB?

MongoDB Atlas has a Transit/Transport Layer encrypted. Additionally enabling Encryption At Rest is very easy.

Each layer has its own feature and guidelines:

What is encryption at rest?

Encryption at rest is the ability of a process to encrypt its output files as the process writes them. In MongoDB its the WiredTiger engine which uses external keys to encrypt and decrypt its data files.

Should I encrypt my database?

It depends on the type of data stored. If the data you store is not sensitive or needs to be compliant with certain regulations you may decide to use other security mechanisms rather than encrypting the database. However, if you store sensitive or confidential information you definitely need to consider encrypting your data.