Show/Hide Toolbars

MongoDB Notes

Navigation: Encrypting the Database

Encrypting the Database with Local Key Management

Scroll Prev Top Next More


In this procedure, you will encrypt the databases of a replica set using rolling upgrades.  This procedure assumes you have a three-member replica set up and running.  Using the local key management does not meet most regulatory key management guidelines.  If it is used, users must take care to manage their own keys securely.


1.Create a keyfile to use as the external master key.

2.In the mongo shell, log into one of the secondary members.

3.Shutdown the server with this command.


use admin



4.Delete the existing database files for this secondary member.

5.Restart the server with storage encryption enabled.  You may wish to use a configuration file similar to the one below.  In this command, cf.yaml is the name of the configuration file.


mongod -f cf.yaml


6.Repeat Steps 3 through 5 for the other secondary member.  Be sure to update the configuration file with the correct port and database path.

7.In the mongo shell, log into the primary member.

8.Step down the primary member with this command:




9.Repeat Steps 3 through 5 for the former primary member.


Example Configuration File



  destination: file

  path:  /home/vagrant/M310-HW-2.5/r2/mongodb.log


  dbPath: /home/vagrant/M310-HW-2.5/r2 


  fork: true


  authorization: disabled

  enableEncryption: true

  encryptionKeyFile: /home/vagrant/mke



  port: 31252


   replSetName: UNENCRYPTED




When setting the encryptionKeyFile option, be sure to use full path names, not relative path names.




Your Ultimate Guide to Rolling Upgrades