{Event}  MongoDB is going on a world tour! Gather your team and head to your nearest MongoDB.local. Learn more >

At-Rest Encryption Best Practices

At-Rest Encryption tools that provide support for MongoDB should conform to the following Best Practices for certification against MongoDB Enterprise.


the best practices checklist and submit it with your application to expedite the certification process.

Please note that all certification categories require compliance with security best practices.


Tools should support MongoDB deployments that are hosted on Windows or Linux platforms.


  • Tools should support advanced encryption capabilities that are supported by broad industry standards bodies.
  • Tools should provide encryption capabilities that are transparent to MongoDB and do not interfere with standard database operation.
  • Tools should provide encryption capabilities that offer compliance with PCI-DSS, HIPAA HITECH, FERPA, Sarbanes-Oxley (SOX), UK Data Protection.


  • Tools should provide a centralized mechanism or infrastructure to create and deploy encryption keys, policies, and controls.
  • Tools should store encryption keys separate from encrypted data to minimize security risks in case of data breach.

Access Control

  • Tools should provide the ability to design and implement access control policies with individual user-level granularity.
  • Tools should support access control mechanisms that prevent accessing data within and outside of MongoDB.


Tools should audit and log actions that are monitored by policy controls for unauthorized access.


Tools should not significantly impact performance of a MongoDB deployment and performance profile or metrics must be submitted with certification application. Performance test should consist of a simple client-server test using the instructions found in the appendix below. Note: measurements are for internal validation only and will not be shared externally.


To measure performance, please conduct the following tests in an environment of your choice (bare metal, virtualized, cloud). The tests consist of ascertaining and initial baseline given the testing environment and then conducting the same tests with your software enabled.

  • 2 nodes will be required - one running MongoDB, the other to generate the workload

  • The MongoDB setup should be very minimal, simply download and run it with the default settings. Or you can use our packaging for yum or apt based distros. See here for complete instructions: http://docs.mongodb.org/manual/administration/install-on-linux/.
  • For load generation, use the MongoDB fork of YCSB: http://github.com/achille/YCSB
  • Create a new workload file and incorporate the following parameters (those not noted can remain at their defaults):
    • readproportion=0.5
    • updateproportion=0.5
    • scanproportion=0
    • insertproportion=0
    • requestdistribution=zipfian
    • recordcount=[ greater than system memory assuming 1KB records ]
    • operationcount = [ have of system memory assuming 1KB records ]
  • Execute the workload first with the “load” phase and next with the “run” phase:
    • Load:
      $ bin/ycsb load mongodb -s -P yourWorkloadFile -p mongodb.url=mongodb://hostname:port -threads [two per core] 
    • Run:
      $ bin/ycsb run mongodb -s -P yourWorkloadFile -p mongodb.url=mongodb://hostname:port -threads [two per core] 
  • Capture the output of both phases for each test, baseline and with your software and include with certification application.