How to encrypt mongo db data?

We want to use mongo db in our application so our data must be encrypted in mongodb. As per documents we are trying to use Enterprise edition but still unable to configure encryption. Can you please guide us. We are using windows.

Welcome to the MongoDB community @Deepak_Maharana !

Can you provide more information on your use case:

Thanks,
Stennie

Hey @Stennie thanks for your response. Please find below answers for your query

I am using version 6 enterprise edition.
I have deployed it in my local setup Amazon ec2.
I am trying to configure Encryption at Rest using local key file.
Now i am unable to connect the server using java driver, can you please tell me how to connect the server using local key file.

Hi @Deepak_Maharana,

My previous comment has links to relevant documentation.

Encryption at Rest is configured on the MongoDB server and does not require any client or driver parameters.

If you have also configured TLS Network Encryption (always recommended), then you will have to provide appropriate certificates to connect from a client/driver.

The MongoDB Security Checklist has a helpful overview of security measures you should implement to protect your MongoDB installation.

What specific version of the Java driver are you using and what is the error message?

Were you able to connect with the Java driver before making server configuration changes?

Regards,
Stennie

Hey @Stennie Thanks for your response, I have doubts regarding Encryption at Rest. If Client dose not required any parameter to connect the Server then any client can connect my db server and fetch my data right? Then how Encryption at Rest will work? I understood Network Encryption but how to make a client which will access the server data if the client has the same key file.

Hi @Deepak_Maharana ,

Remote access to a MongoDB deployment is determined by Access Control including authentication and Role-Based access. With access control properly configured, a remote client must present valid credentials in order to remotely view or manipulate data in your deployment.

Encryption at rest refers to the underlying data files, not remote connections. If someone had a physical copy of data files (for example, from a backup of your MongoDB deployment) the files would not be decipherable without the private encryption key.

Network encryption encrypts data in transit to and from your MongoDB deployment.

All of the above security measures are separately configured, but complementary as part of a well secured deployment. The Security Checklist mentions a few other measures including limiting network exposure via firewalls and VPNs.

To summarise, you can configure:

  • Role-Based Access Control to limit remote access to your deployment
  • Network Encryption to securely communicate with your deployment
  • Encryption at Rest to prevent access to the raw data files
  • Limited Network Exposure via network and O/S configuration
  • (optionally) Queryable Encryption to encrypt sensitive fields within documents

Regards,
Stennie