I'm looking to design a webapp which stores private information securely using MongoDB. I would like to encrypt the entire database but it looks like it's not supported. What routes can I take to encrypt my database?
-
You can encrypt the data you insert into it (which makes querying it messy) and/or you can encrypt the filesystem where the DB is stored and/or you can encrypt the socket connection. What's the threat model?symcbean– symcbean2012-01-10 13:05:15 +00:00Commented Jan 10, 2012 at 13:05
-
1I want to make a cloud based personal organizer to manage passwords and other private data. I want to go a step further than just encrypting data that is going into the database- I don't want to know the kind of data users are submitting. I'm leaning towards putting the database on an encrypted volume but that still leaves me with a security risk when the volume is mounted.devnill– devnill2012-01-10 21:56:17 +00:00Commented Jan 10, 2012 at 21:56
Add a comment
|
3 Answers
MongoDB 3.2 (Released in November 2015) offers an encrypted storage engine. No need to use third party APIs to encrypt your data before insertion or encrypt the whole drive. You can find more details here. However, note that it is only offered for the Enterprise edition only.
It works with the WiredTiger storage engine, which has been the included as an alternative to the default MMAPv1 storage engine since 3.0. If your database is still using MMAPv1, read this guide for the steps to convert a database from MMAPv1 to WiredTiger.
As Fernando Paz noted in the comments, the encrypted storage is only available in MongoDB Enterprise edition.
3 Comments
Fappaz
It's noteworthy to mention that this feature is available in MongoDB Enterprise edition only.
jxStackOverflow
I had enable the encryption, how do I verify that the encryption is working?
jxStackOverflow
How do I verify that the encryption is already taking place besides checking the log file?
Great question! With Big Data on the rise, securing data at rest is more important than ever!
MongoDB doesn't support this directly, but Gazzang's Encryption & Key Management Platform has been specifically tailored for MongoDB (though it works with other NOSQL database systems too). It's is a commercial solution built on top of the open source eCryptfs encrypted filesystem in Linux, and it performs the encryption on the underlying filesystem in a way that security is maximized with minimal adverse effects on performance.
With customizable Access Control Lists, your unencrypted MongoDB data will only be accessible by users or processes of your choice. Check out this Big Data Security whitepaper or visit www.securingbigdata.com for more information.
Full disclosure: I'm employed by Gazzang.
2 Comments
Michael
Is your solution appropriate for individuals? i.e. not developing anything to sell or distribute? I'm currently using sqlcipher to encrypt my personal sqlite dbs, with the idea being that I can then safely store the encrypted database in something like DropBox. Basically it's a "I trust the client and the server process so I'm okay with passing keys between them, but not the storage from being read" model, so nothing unencrypted touches the storage medium.
I would recommend that you use LUKS to encrypt your data volume. It is fairly simple to setup and manage compared to file system based encryption. It is also portable to various flavors of Linux and also has flexibility to let you change your password. If you need a solution out of the box Scalegrid.io encryption support provides this feature in the mongodb cluster creation wizard
Disclaimer: I am the founder of Scalegrid.io
4 Comments
ali haider
have you tested LUKS with Mongo?
Dharshan
Yes. LUKS works fairly well with mongo - did you have a particular concern with it?
ali haider
I wanted to get an informed opinion from someone who had done this before I try to venture further. thank you
Dharshan
No problem. You should expect 20-40% higher CPU load (Actual numbers depend on your workload)