How to configure encryption at rest¶
Data at rest encryption should be used when your data is highly valuable. It should be used with data in transit encryption (TLS), and adequate policies to protect accounts. It helps organizations comply with security and privacy standards like HIPAA, PCI-DSS, GDPR and FIPS.
Charmed MongoDB provides encryption at rest using Vault as a key management backend for the encryption keys.
Caution
This feature can only be enabled at deploy time.
It requires a MongoDB instance that has never been started. The charm will prevent you from enabling it after it has started.
If you remove the Vault integration and MongoDB restarts, the charm will be unable to decrypt the databases and start.
Pre-requisite¶
You’ll need:
Charmed MongoDB - Revision 305 or higher
(Optional) Charmed Mongos - Revision 118 or higher
You’ll need:
Charmed MongoDB K8s - Revision 162 or higher
(Optional) Charmed Mongos K8s - Revision 115 or higher
A few words of caution¶
Encryption at rest encrypts the data on disk. It relies on Vault to store the database encryption key. If Vault is unavailable for too long and MongoDB restarts, it will fail to start as it can’t decrypt the database. It is recommended to have a scheduled backup policy working and regularly tested for both Charmed MongoDB and Vault.
This implementation provides some alerts if you are integrated with COS Lite . If Vault fails, the charm will raise critical statuses and start alerting. The tokens have a lifetime of one hour, so after one hour of downtime, a restart of MongoDB will fail.
It is highly recommended to make regular backups of the Vault to ensure the key is not lost. Without the credentials, you will be unable to decrypt the data.
Deploy and configure Vault¶
Follow the official Charmed Vault documentation
until the vault is unsealed, authorised and you have removed the one-time-token secret.
You don’t need to create a key-value type secret, and you should not destroy your environment.
Deploy MongoDB¶
Deploy Charmed MongoDB for your substrate, specifying the enable-encryption-at-rest config option
juju deploy mongodb --channel=8/edge --config enable-encryption-at-rest=True
juju deploy mongodb-k8s --channel=8/edge --trust --config enable-encryption-at-rest=True
After a few minutes it will stay in a blocked/idle status:
Model Controller Cloud/Region Version SLA Timestamp
integ-test overlord localhost/localhost 3.6.20 unsupported 14:38:07+02:00
App Version Status Scale Charm Channel Rev Exposed Message
mongodb 8.0.10 blocked 1 mongodb 0 no Must be integrated with vault to enable encryption at rest.
Unit Workload Agent Machine Public address Ports Message
mongodb/0* blocked executing 0 10.137.178.131 Must be integrated with vault to enable encryption at rest.
Machine State Address Inst id Base AZ Message
0 started 10.137.178.131 juju-ceaebe-0 ubuntu@24.04 vali Running
Model Controller Cloud/Region Version SLA Timestamp
testing 36microk8s microk8s/localhost 3.6.19 unsupported 14:44:24+02:00
App Version Status Scale Charm Channel Rev Address Exposed Message
mongodb-k8s 8.0.10 blocked 1 mongodb-k8s 0 10.152.183.137 no Must be integrated with vault to enable encryption at rest.
Unit Workload Agent Address Ports Message
mongodb-k8s/0* blocked executing 10.1.238.194 Must be integrated with vault to enable encryption at rest.
Integrate your charm with Vault
juju integrate mongodb:vault-kv vault:vault-kv
juju integrate mongodb-k8s:vault-kv vault:vault-kv
Rotate the encryption key¶
Key rotation can be used as part of compliance processes (e.g: once a year), or if you have a suspicion that it has leaked.
Caution
This operation is expensive. It requires to restart each MongoDB instance affected twice. One for rotating the encryption key, and one to resume operation.
If for any reason, you need to rotate the encryption key, please apply the following instructions. For each unit that could have leaked its key, run:
juju run mongodb/<unit-id> rotate-encryption-master-key
juju run mongodb-k8s/<unit-id> rotate-encryption-master-key
Your key has now been rotated.