MongoDB Notes
In this procedure, you will encrypt the databases of a replica set using rolling upgrades. This procedure assumes you have a three-member replica set up and running. Using the local key management does not meet most regulatory key management guidelines. If it is used, users must take care to manage their own keys securely.
1.Create a keyfile to use as the external master key.
2.In the mongo shell, log into one of the secondary members.
3.Shutdown the server with this command.
use admin
db.shutdownServer()
4.Delete the existing database files for this secondary member.
5.Restart the server with storage encryption enabled. You may wish to use a configuration file similar to the one below. In this command, cf.yaml is the name of the configuration file.
mongod -f cf.yaml
6.Repeat Steps 3 through 5 for the other secondary member. Be sure to update the configuration file with the correct port and database path.
7.In the mongo shell, log into the primary member.
8.Step down the primary member with this command:
rs.stepDown()
9.Repeat Steps 3 through 5 for the former primary member.
Example Configuration File
systemLog:
destination: file
path: /home/vagrant/M310-HW-2.5/r2/mongodb.log
storage:
dbPath: /home/vagrant/M310-HW-2.5/r2
processManagement:
fork: true
security:
authorization: disabled
enableEncryption: true
encryptionKeyFile: /home/vagrant/mke
net:
bindIp: database.m310.mongodb.university
port: 31252
replication:
replSetName: UNENCRYPTED
Issues
•When setting the encryptionKeyFile option, be sure to use full path names, not relative path names.
References
