Using SmartKey™ for MongoDB Encryption at Rest

MongoDB Enterprise version supports encryption of data at rest. The data encryption process involves generating a primary key which is the root of the key hierarchy of various keys used by MongoDB.

Cryptographically secure generation and secure management of this primary key is required for true security of data at rest encrypted by MongoDB. SmartKey with its KMIP support provides a secure and flexible solution for this.

MongoDB supports KMIP and it authenticates to a KMIP enabled key management server using client certificate. SmartKey supports clients / apps to authenticate using API Key, App Id and certificate or just certificate. In this article we will describe how to setup an app in SmartKey for MongoDB to integrate with SmartKey.

Adding App in SmartKey

Start by adding an App in SmartKey in an appropriate group or a new group. See Getting Started with SmartKey™.

Once you have added the application, note its App-Id.

  • From the App table view, click Copy UUID. You will need this App-Id for the certificate.

If an App / Client needs to authenticate to SmartKey using only the certificate, then the App Id must be embedded in the certificate in one of the following ways:

  • Provided as value of a custom OID in certificate 1.3.6.1.4.1.49690.1.2.1

    Standard human-readable UUID encoding: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  • Provided as value of CN

Creating client certificate with custom OID value

You can generate a self-signed certificate such that the custom OID is part of the certificate.

  1. Edit file /etc/ssl/openssl.cnf and add the custom oid in the new_oids section. These sections in the file should look as follows:

    oid_section           = new_oids

     

    # To use this configuration file with the "-extfile" option of the

    # "openssl x509" utility, name here the section containing the

    # X.509v3 extensions to use:

    # extensions          =

    # (Alternatively, use a configuration file that has only

    # X.509v3 extensions in its main [= default] section.)

     

    [ new_oids ]

    my_app_id=1.3.6.1.4.1.49690.1.2.1

  2. Now, add a description in the req_distinguished_name section:

    my_app_id = custom attribute for app id

  3. Save the file and generate self-signed certificate as usual. This will prompt for the value of custom attribute where you should enter the App Id you noted earlier.

    The generated certificate will have the value of custom OID populated.

Examine the subject in certificate to verify it contains the custom OID. A correctly generated certificate should look as follows (note the value of custom OID in subject)

Creating client certificate with App Id as CN

You can generate a self-signed certificate such that the CN contains the App Id.

Generate self-signed certificate as usual.

  • When prompted for Common Name, enter the App Id you noted earlier.

The generated certificate will have the App Id as CN.

Examine the subject in certificate to verify it contains the App Id as CN. A correctly generated certificate should look as follows (note the value of CN)

Setting App Authentication Method as certificate

Once you have the certificate, you will need to change the authentication method for your app in SmartKey to use certificate instead of API key.

To change the authentication method, go to the application detail page of your app, navigate to the Info tab, and open the Change authentication method drop-down. Select method as “Certificate” and click Save. You will be prompted to upload a certificate. Upload your certificate and click on Update. Now your app is set to authenticate using the certificate you created.

Configuring Encryption in MongoDB

You need to start MongoDB with the options to configure encryption and point it to SmartKey as the key manager. MongoDB will use the certificate you created in the earlier step to authenticate to SmartKey.

Note

  • If you already have data in MongoDB, then starting MongoDB with encryption enabled will not work.
  • Certificate needs to be in PEM format.
  • It needs the private key and certificate to be concatenated together in one file.

Copy your private key followed by certificate in a file, say client.pem. It should look as follows:

-----BEGIN PRIVATE KEY-----

MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC5/MzwY4GcIkyU

……………………………………………………………………………………………………………………………………………………………………….

9R9EpY5ob2xaorfyEDZR2A==

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

MIIEUTCCAzmgAwIBAgIJAJxAy7ghYZjwMA0GCSqGSIb3DQEBCwUAMIG+MQswCQYD

……………………………………………………………………………………………………………………………………………………………………….

7Do/CpP2WqIk5uojq4SO5Z+/8zs0rzVNwYaKnyMSmxO+c3bC4guYB/vdEcT1wXzy

bDh/HRo=

-----END CERTIFICATE-----

To start MongoDB with encryption enabled and use a new primary key, start with the following options

/usr/bin/mongod --config /etc/mongod.conf --enableEncryption --kmipServerName <SmartKey Host name> --kmipPort 5696 --kmipServerCAFile SmartKey_CA.pem --kmipClientCertificateFile client.pem

Explanation of parameters:

enableEncryption Enable encryption at rest
kmipServerName arg SmartKey host name
kmipPort arg KMIP server port (defaults to 5696)
kmipClientCertificateFile arg Client certificate for authenticating to SmartKey server
kmipServerCAFile arg CA File for validating connection to SmartKey server. This is optional and only required if you are running an on-premise SmartKey server and it is using a certificate signed by a non-standard CA

For more details on MongoDB encryption at rest and other configuration options, see the MongoDB Manual.

Once MongoDB starts and successfully connects to SmartKey, it requests SmartKey to generate a primary key (AES-256). You can check this in SmartKey WebUI under the Security Objects page. Every time, MongoDB is restarted, it retrieves the value of primary key from SmartKey after authenticating with it. With SmartKey you see a complete audit trail if every time this primary key is retrieved. You also have complete control on the primary key and you can revoke access to the key or disable it, in case you want to lock down your data at rest.

This example shows the activity logs for the MongoDB application and an audit trail of primary key usage: