MongoDB Encryption Fundamentals

Introduction

If your organization is using MongoDB, data security is likely to be one of your top priorities. Fortunately, MongoDB is the clear leader among other players in the NoSQL space when it comes to encryption. In this article, we’ll discuss some MongoDB encryption fundamentals and explain how MongoDB encryption is designed to optimize performance.

Understanding MongoDB Encryption

Our discussion of MongoDB encryption fundamentals will look at two different encryption solutions: encryption for data in motion and for data at rest.

Encryption for Data in Motion

MongoDB supports two types of encryption for data in motion: SSL (Secure Socket Layer) and TLS (Transport Layer Security). These protocols are used in situations where data is received or sent over networks; while the data is secured during the time it’s actually in transit, it appears unencrypted before it’s sent and after it arrives at its destination. You can consult MongoDB’s documentation for information on configuring both SSL and TLS with private and public key pairs, which are referred to as asymmetric key encryption systems.

Encryption for Data at Rest

Data at rest is encrypted by MongoDB native symmetric key encryption, which takes place at the file level. This type of encryption, which solves the issue of securing data at rest, is known as Transparent Data Encryption (TDE). The encryption algorithm used by MongoDB is the 256-bit Advanced Encryption Standard; this cipher uses a secret key for both encryption and decryption. If you’re using encryption with MongoDB, you can configure it to run in FIPS mode– turning this on means that the encryption being used is validated to the Federal Information Processing Standard (FIPS). FIPS encryption, which is designed to meet the toughest standards and most rigorous compliance, is commonly used in Department of Defense and other government applications, although it’s becoming an industry standard in many other areas as well. It’s important to know that AES encryption for data at rest is only available with MongoDB Atlas and Enterprise.

When you’re using TDE for encryption, it’s helpful to understand how MongoDB stores the keys. A unique private key is created whenever an administrator encrypts a file in the database. All the keys in the storage device are subsequently encrypted with a master key. For an added layer of security, MongoDB doesn’t permit the master key to reside on the same server as the data being encrypted– the database administrator needs to use a different secure storage method for the master key. It’s best to use a third-party key management solution for this purpose. While some users do store their keys locally, this is a risky option that MongoDB strongly discourages.

MongoDB Encryption and Performance

It’s important to keep performance in mind when you’re using encryption with MongoDB. If your organization is storing huge amounts of data that’s being accessed frequently by applications, performance is a significant concern. Even a small amount of downtime or minor latency can cause problems with business operations. That’s why MongoDB has put its product through rigorous testing to determine the impact of encryption on performance. These tests showed that even at maximum load, a storage engine using encryption will experience a latency of about 10 to 20 percent. This level of latency would likely occur in situations where users are writing a large volume of data to the database. However, most typical user scenarios involve read operations instead of write operations; in these situations, the impact of encryption on performance is negligible.

MongoDB has relied on the encrypted storage engine WiredTiger as its default storage engine since the release of version 3.2. WiredTiger, which was acquired by MongoDB in 2014, is known for its security, high scalability and optimized performance. A key way that WiredTiger optimizes encryption performance is by taking encryption to the page level. This may seem like a small difference, but the benefit is significant: When users perform a write or read operation against an encrypted database, that operation will only impact the specific page where the data is stored, instead of impacting the whole database.

Conclusion

Data security is a significant area of concern for many organizations, so it’s important to use a database with a reliable, easy-to-use encryption option. With MongoDB, it’s easy to enable encryption for both data in motion and data at rest. Although we’ve provided an overview of MongoDB encryption fundamentals in this article, you may still have questions or find yourself struggling with an encryption issue. Please don’t hesitate to contact Objectrocket with your concerns– we’re happy to help you tackle any issues you’re having with MongoDB.