MongoDB Encryption

Introduction

Encryption is the process of encoding digital information to prevent unauthorized access and is a critical and fundamental component of any secure data-management system. MongoDB is among the leaders in providing no-nonsense NoSQL database encryption management solutions and MongoDB can accept any valid TLS/SSL certificate.

SSL is an acronym standing for “Secure Sockets Layer” and is the standard method of keeping online connections secure. TLS is an acronym for “Transport Layer Security,” which is an updated version of SSL. Most often, TLS security certificates are still referred to as SSL simply because is it a more wide-accepted term. This tutorial will examine the supported MongoDB Encryption methods and TLS connection within the replica set. A basic working knowledge of MongoDB authentications is required in able to execute the examples in this tutorial.

Prerequisites

  • Confirm that both MongoDB and a replica set are properly installed and configured before beginning the exercises in this tutorial.

  • A basic working knowledge of MongoDB authentications, such as X509 certificates, is required.

NOTE: MongoDB version 4.0.10 is used for the examples in this tutorial.

How to Enable TLS in MongoDB

Execute the following command to enable TLS between the MongoDB client and MongoDB:

mongod --sslMode requireSSL --sslPEMKeyFile server.pem

The above command informs MongoDB that certificates for the connections will be provided. This command requires all client connections be made via the TSL/SSL performing the encrypted connection.

How to enable the TLS for connection to the Replica Set

It is equally important that all replica set members also use TLS for communication.

The following script will set up the TLS connection within the replica set in a very straightforward manner:

mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --replSet sampleEncryptedReplSet --dbpath=r0/db --logpath=r0/db/mongo.log --port=27017 --fork

The above code informs MongoDB that SSL will be required. Next, the server’s certificate (–sslPEMKeyFile) must be passed followed by the CA certificate (–sslCAFile) so all users can be identified. Next, give the replica set a name, in this case “sampleEncryptedReplSet”. Finally, specify the dbpath, the logpath, the port, and then fork this process.

Repeat the same process with other replica sets, as needed. The only things that will require changing are the dbpath, logpath and the port number, leaving all other parameters the same. The results should resemble the following:

about to fork child process, waiting until server is ready for connections.
forked process: 7236

Now that all MongoDBs are up and running, connect to the first server by executing the following code:

mongo --ssl --sslPEMKeyFile client.pem --sslCAFile ca.pem

Now pass in the --ssl option for the SSL connection and then provide the client SSL certificate client.pem and then the CA’s certificate ca.pem by executing the following script:

MongoDB shell version: 4.0.10
connecting to: test
2019-07-10T25:07.437-0200 I CONTROL [initandlisten]
2019-07-10T25:07.437-0200 I CONTROL [initandlisten] ** WARNING: soft rlimits too low. number of files is 256, should be at least 1000

Now that the connection is established, initialize the replSet then add the members by executing the following script:

rs.initiate({_id: 'sampleEncryptedReplSet', version: 1, members: [{_id: 0, host: "localhost:27017"},{_id: 1, "localhost:27018"},{_id: 2, host: "localhost:27019"}]})

Notice in the above command that each member has its _id and hostnamestated.

NOTE: Use hostname in the above command as it is the value of the Alternative Name in the server certificate.

Conclusion

This tutorial covered the supported MongoDB encryption methods to prevent unauthorized access to the database. The article specifically demonstrated how to enable TLS in MongoDB, how to set up and enable a TLS connection within the replica set and enable TLS between the MongoDB client and MongoDB. Keep in mind that it is essential that all replica set members also use TLS for communication. Also remember that when instructing MongoDB of certificates used for the connections that all client connections must also be made via the TSL/SSL performing the encrypted connection.

Keep in the know!

Subscribe to our emails and we’ll let you know what’s going on at ObjectRocket. We hate spam and make it easy to unsubscribe.