28486

How to implement data encryption at rest for MongoDB Community Edition?

Question:

I've gone through <a href="https://docs.mongodb.com/manual/tutorial/configure-encryption/" rel="nofollow">MongoDB docs</a> that explain how to configure encryption which is available in MongoDB Enterprise only.

How to implement data at rest in <strong>MongoDB Community Edition</strong> v3.4?

Answer1:

I was asking the same question to myself just few month ago. This is a list of options I have found so far:

<ul><li>encrypt storage volumes on the file system level. It is what Atlas offers, and most of cloud providers support: <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html" rel="nofollow">http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html</a>, <a href="https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption" rel="nofollow">https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption</a> to name a few. Combined with cloud key management it is the simplest way IMHO. The same can be achieved for on-premises storages for most operation systems. Please ask how to do that in <a href="https://serverfault.com/" rel="nofollow">relevant StackExchange community</a> providing enough details about underlying OS.</li> <li><a href="https://www.percona.com/software/mongo-database/percona-server-for-mongodb" rel="nofollow">Percona MongoDB server</a> has some enterprise features, including audit and encryption. IIRC it uses disk encryption provided by OS, so it's basically the same as the previous one.</li> <li>encrypt sensitive data on application level. e.g. <a href="https://www.openssl.org/docs/manmaster/man1/rsautl.html" rel="nofollow">https://www.openssl.org/docs/manmaster/man1/rsautl.html</a>. It is a bit more flexible, but you will loose some features like full text search and sorting index on encrypted fields.</li> <li>buy enterprise license. Does not answer the question directly, yet may be more cost-efficient comparing to the previous options. </li> </ul>

Answer2:

Like <a href="https://stackoverflow.com/a/46683999/4308032" rel="nofollow">Alex Blex suggested</a>, you have other options than Community Edition.

However, if you still want to go with Community Edition,

You can use <a href="https://www.npmjs.com/package/mongoose" rel="nofollow">mongoose.js</a> for interacting with mongoDB. It has getters and setters that can fulfill your requirement:<br /><a href="http://mongoosejs.com/docs/2.7.x/docs/getters-setters.html" rel="nofollow">http://mongoosejs.com/docs/2.7.x/docs/getters-setters.html</a>

In your mongoose schema, you can specify get and set functions for fields.

var mySchema = new Schema({ name: { type: String, default: '', trim: true, required: 'Please enter group name', unique: true, get: decryptFunction, set: encryptFunction } }); mySchema.set('toObject', {getters: true}); mySchema.set('toJSON', {getters: true});

The set will be executed whenever you are assigning any value to the field. It will take the value as a parameter, and then you can write your own encryption logic.

The get will be executed whenever you access the field's value. It will get the encrypted value as a parameter and you can write your decryption logic there.

You will have to write the decryptFunction and encryptFunction.

<strong>However</strong>, you wont be able to query those fields with original values. As the mongodb does not know the text is encrypted.

Recommend

  • C# .net core web api post parameter always null
  • Listen to click events inside CKEditor dialog
  • How to JSON_MODIFY on Array of Array?
  • Order of sess.run([op1, op2…]) in Tensorflow
  • How to parse KML file in Android
  • Writing Out a DOM as an XML File
  • How do I get a specific value from returned json in Swift 3.0?
  • Normal Query on Cassandra using DataStax Enterprise works, but not solr_query
  • Checking the string for null or empty space
  • Timeout for launching a bash command in perl
  • “We were able to connect to the database server” error in WordPress
  • How to detect user changing sheet?
  • short and easy question on spring nested transactions
  • PhoneGap or Appcelerator Implementation
  • MySQL calculation of cumulative sum with a reset condition
  • Firebase reverse dns lookup ENOTFOUND error node.js dns
  • Python PIL cut words out so it becomes transparent PNG
  • Streaming huge json with Akka Stream
  • A Back/Home Button [Java]
  • How to gracefully stop python unittest?
  • View.layout() works until next UI update
  • Accessing parent namespace inside a Shiny Module
  • device tree overlay phandle
  • Spring Cloud Config - Multiple Composite Repositories?
  • Xmlserializer to C# object, store original XML element
  • programatically send a form with POST
  • Simultaneous animation when entering editing mode of UITableViewCell
  • jQuery Ajax call to WCF service returning “Method not allowed (405)”
  • Auto send email based on the time and email address in database
  • Ember.js + JQuery-UI Tooltip - Tooltip does not reflect the model / controller changes
  • matrix multiplication apache pig
  • multiple button click in asp.net MVC 3
  • Running R's aov() mixed effects model from Python using rpy2