MongoDB Encryption at Rest

Join Stephen Thorn and Michał Nosek, Percona Technical Experts, as they discuss MongoDB Encryption at Rest.

This hands-on workshop will walk through the process of setting up data-at-rest encryption in Percona Server for MongoDB (PSMDB). Data-at-rest encryption is one of the methods used to secure database deployments from unauthorized data access. It’s also commonly required for enterprise-grade database deployments due to different regulations and compliance requirements.

This feature is unavailable in the upstream MongoDB Community Edition and is available only in MongoDB Enterprise. PSMDB bridges this gap by offering data-at-rest encryption in Percona’s free and open-source version.

In this workshop, we will enable encryption on a whole replica set. For one of the nodes, we will use locally stored key file. This is the simplest approach, however, that approach is typically not recommended in production environments. The second approach that we will use for the second node is using external server to store and manage secrets. We’ll go through the integration with HashiCorp Vault that is supported by PSMDB. Additionally, we’ll rotate encryption key in an already encrypted MongoDB node.