MongoDB Encryption
Introduction
Encryption is the process of encoding digital information to prevent unauthorized access and is a critical and fundamental component of any secure data-management system. MongoDB is among the leaders in providing no-nonsense NoSQL database encryption management solutions and MongoDB can accept any valid TLS/SSL certificate.
SSL is an acronym standing for “Secure Sockets Layer” and is the standard method of keeping online connections secure. TLS is an acronym for “Transport Layer Security,” which is an updated version of SSL. Most often, TLS security certificates are still referred to as SSL simply because is it a more wide-accepted term. This tutorial will examine the supported MongoDB Encryption methods and TLS connection within the replica set. A basic working knowledge of MongoDB authentications is required in able to execute the examples in this tutorial.
Prerequisites
Confirm that both MongoDB and a replica set are properly installed and configured before beginning the exercises in this tutorial.
A basic working knowledge of MongoDB authentications, such as X509 certificates, is required.
NOTE: MongoDB version 4.0.10 is used for the examples in this tutorial.
How to Enable TLS in MongoDB
Execute the following command to enable TLS between the MongoDB client and MongoDB:
1 | mongod --sslMode requireSSL --sslPEMKeyFile server.pem |
The above command informs MongoDB that certificates for the connections will be provided. This command requires all client connections be made via the TSL/SSL performing the encrypted connection.
How to enable the TLS for connection to the Replica Set
It is equally important that all replica set members also use TLS for communication.
The following script will set up the TLS connection within the replica set in a very straightforward manner:
1 | mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --replSet sampleEncryptedReplSet --dbpath=r0/db --logpath=r0/db/mongo.log --port=27017 --fork |
The above code informs MongoDB that SSL will be required. Next, the server’s certificate (–sslPEMKeyFile) must be passed followed by the CA certificate (–sslCAFile) so all users can be identified. Next, give the replica set a name, in this case “sampleEncryptedReplSet”. Finally, specify the dbpath
, the logpath
, the port
, and then fork
this process.
Repeat the same process with other replica sets, as needed. The only things that will require changing are the dbpath
, logpath
and the port number, leaving all other parameters the same. The results should resemble the following:
1 2 | about to fork child process, waiting until server is ready for connections. forked process: 7236 |
Now that all MongoDBs are up and running, connect to the first server by executing the following code:
1 | mongo --ssl --sslPEMKeyFile client.pem --sslCAFile ca.pem |
Now pass in the --ssl
option for the SSL connection and then provide the client SSL certificate client.pem
and then the CA’s certificate ca.pem
by executing the following script:
1 2 3 4 | MongoDB shell version: 4.0.10 connecting to: test 2019-07-10T25:07.437-0200 I CONTROL [initandlisten] 2019-07-10T25:07.437-0200 I CONTROL [initandlisten] ** WARNING: soft rlimits too low. number of files is 256, should be at least 1000 |
Now that the connection is established, initialize the replSet
then add the members by executing the following script:
1 | rs.initiate({_id: 'sampleEncryptedReplSet', version: 1, members: [{_id: 0, host: "localhost:27017"},{_id: 1, "localhost:27018"},{_id: 2, host: "localhost:27019"}]}) |
Notice in the above command that each member has its _id
and hostname
stated.
NOTE: Use hostname
in the above command as it is the value of the Alternative Name
in the server certificate.
Conclusion
This tutorial covered the supported MongoDB encryption methods to prevent unauthorized access to the database. The article specifically demonstrated how to enable TLS in MongoDB, how to set up and enable a TLS connection within the replica set and enable TLS between the MongoDB client and MongoDB. Keep in mind that it is essential that all replica set members also use TLS for communication. Also remember that when instructing MongoDB of certificates used for the connections that all client connections must also be made via the TSL/SSL performing the encrypted connection.
Pilot the ObjectRocket Platform Free!
Try Fully-Managed CockroachDB, Elasticsearch, MongoDB, PostgreSQL (Beta) or Redis.
Get Started