Webinar: Technical Introduction to Native Encryption on MongoDB
mongodb
2,060 views
19 slides
Mar 02, 2016
Slide 1 of 19
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
About This Presentation
The new encrypted storage engine in MongoDB 3.2 allows you to more easily build secure applications that handle sensitive data. Attend this webinar to learn how the internals work and discover all of the options available to you for securing your data.
Slide Content
A Technical Introduction to Native
Encryption in MongoDB
By: Osmar “Oz” Olivo
Product Manager
MongoDB Inc.
Encryption in MongoDB
By: Osmar “Oz” Olivo
Product Manager
MongoDB Inc.
Agenda
•Motivation
•Encryption Internals
•Key Management
•When to use Native Encryption vs. Alternatives
•Motivation
•Encryption Internals
•Key Management
•When to use Native Encryption vs. Alternatives
Motivation
What is Encryption at Rest?
•Data at Rest generally refers to data stored in persistent storage
(disk, tape)
•Encryption at rest can be achieved in one of 4 ways
–At the hardware level
–At the filesystem level
–At the database level
–At the application level
•Encrypting data on the network is known as “In Flight Encryption”
–MongoDB provides this natively via TLS/SSL
•Data at Rest generally refers to data stored in persistent storage
(disk, tape)
•Encryption at rest can be achieved in one of 4 ways
–At the hardware level
–At the filesystem level
–At the database level
–At the application level
•Encrypting data on the network is known as “In Flight Encryption”
–MongoDB provides this natively via TLS/SSL
Why do we need data encrypted?
•Applications may handle and store regulated or sensitive data
–Must meet federal regulations for PCI, HIPPA, FERPA, etc.
–Require that Personally Identifiable Information (PII) be protected
•Both at rest, in flight, and with access controls
•Encryption isn’t the only solution
•Internal compliance policy to protect sensitive data
–Do not necessarily store federally “sensitive” data
–May store data an entity may deem as private
•Keep your private data secure
•Applications may handle and store regulated or sensitive data
–Must meet federal regulations for PCI, HIPPA, FERPA, etc.
–Require that Personally Identifiable Information (PII) be protected
•Both at rest, in flight, and with access controls
•Encryption isn’t the only solution
•Internal compliance policy to protect sensitive data
–Do not necessarily store federally “sensitive” data
–May store data an entity may deem as private
•Keep your private data secure
MongoDB’s Native Encryption
Encryption Internals
•Leverages OpenSSL libraries
•Supported modes
–AES256-CBC
–AES256-GCM
–Use OpenSSL FIP’s mode to be FIPS 140-2 compliant
•Hardware Accelerated via AES-NI
•Encryption done at page level
–Don’t need to re-encrypt whole file with each change
•Encrypt data written out to the filesystem
–DataFiles, Journal, Rollback files, etc.
–Logs are not encrypted (Log redaction coming)
–Nothing is encrypted in memory
•Leverages OpenSSL libraries
•Supported modes
–AES256-CBC
–AES256-GCM
–Use OpenSSL FIP’s mode to be FIPS 140-2 compliant
•Hardware Accelerated via AES-NI
•Encryption done at page level
–Don’t need to re-encrypt whole file with each change
•Encrypt data written out to the filesystem
–DataFiles, Journal, Rollback files, etc.
–Logs are not encrypted (Log redaction coming)
–Nothing is encrypted in memory
Internal Keystore
•MongoDB generates a key for each database
–Each database is encrypted with its own key
–Currently do not support unencrypted databases/collections
•Database keys are kept in an internal keystore
–Can’t be accessed by users
•Keystore is encrypted (“wrapped”) with an externally managed
Master Key
–OS level mechanisms are employed to ensure that keys are not paged or
written to disk in unencrypted form
–Master keys are never written to disk at all
•Must be externally managed
•MongoDB generates a key for each database
–Each database is encrypted with its own key
–Currently do not support unencrypted databases/collections
•Database keys are kept in an internal keystore
–Can’t be accessed by users
•Keystore is encrypted (“wrapped”) with an externally managed
Master Key
–OS level mechanisms are employed to ensure that keys are not paged or
written to disk in unencrypted form
–Master keys are never written to disk at all
•Must be externally managed
Master Key Management
•Local key file
–User generated base-64 encoded keyfile
–File is located on filesystem and must be managed by user
–NOT RECOMMENDED FOR PRODUCTION
•Won’t meet most compliance policies
•KMIP server (key management appliance)
–Users can plug into existing key management servers
•Appliance must support KMIP communication protocol
•MongoDB must have access to CA and client certificate files in order to
securely communicate
–Will securely generate and transmit Master Key
–Recommended approach to protect private data
–Level of compliance will depend on appliance used
•Local key file
–User generated base-64 encoded keyfile
–File is located on filesystem and must be managed by user
–NOT RECOMMENDED FOR PRODUCTION
•Won’t meet most compliance policies
•KMIP server (key management appliance)
–Users can plug into existing key management servers
•Appliance must support KMIP communication protocol
•MongoDB must have access to CA and client certificate files in order to
securely communicate
–Will securely generate and transmit Master Key
–Recommended approach to protect private data
–Level of compliance will depend on appliance used
B
y: O
sma •DB4
KeyB
y:rO
sma
•DB3
KeyB
y:“O
sma
•DB2
KeyB
y:z
sma
•DB1
Key
How It all Fits Together”livmoOsma
Master KeyPduoacvmtOylvlMlimi
Encrypted Databases
y: O
sma •DB4
KeyB
y:rO
sma
•DB3
KeyB
y:“O
sma
•DB2
KeyB
y:z
sma
•DB1
Key
How It all Fits Together”livmoOsma
Master KeyPduoacvmtOylvlMlimi
Encrypted Databases
Key Rotation
•Approach will depend on requirements
–Re-encrypt all the data
•Perform rolling initial sync on each node in the replica set
•Rotates Master key as well as the internal keystore keys
–Only re-encrypt the internal keystore (KMIP ONLY)
•Restart the server with the --kmipRotateMasterKey parameter
•Only rotates the Master key
–Internal keystore keys stay the same but are re-encrypted
•Can be done in a rolling fashion to avoid downtime
•This is generally enough to meet most compliance requirements
•Approach will depend on requirements
–Re-encrypt all the data
•Perform rolling initial sync on each node in the replica set
•Rotates Master key as well as the internal keystore keys
–Only re-encrypt the internal keystore (KMIP ONLY)
•Restart the server with the --kmipRotateMasterKey parameter
•Only rotates the Master key
–Internal keystore keys stay the same but are re-encrypted
•Can be done in a rolling fashion to avoid downtime
•This is generally enough to meet most compliance requirements
Keys Per Node
•Master Keys & Internal keystore are decoupled from replication
–Each node in a cluster can utilize the same Master Key or a different one
•We recommend a different Master Key per instance
•Users have no control over database keys as they are internally generated
•Master Keys & Internal keystore are decoupled from replication
–Each node in a cluster can utilize the same Master Key or a different one
•We recommend a different Master Key per instance
•Users have no control over database keys as they are internally generated
When to use Native Encryption
Deciding on a solution
•MongoDB Native Encryption
–Great if all sensitive data is stored on MongoDB
–Want to minimize number of technologies used in software stack
–Certified KMIP Appliances
•Safenet KeySecure
•Vormetric DSM
•MongoDB Native Encryption
–Great if all sensitive data is stored on MongoDB
–Want to minimize number of technologies used in software stack
–Certified KMIP Appliances
•Safenet KeySecure
•Vormetric DSM
Deciding on a solution (continued)
•Filesystem Solutions
–Great if using several technologies alongside MongoDB
•Want to standardize on a single encryption platform
–If you require protection against privileged users such as root
–Certified Filesystem Solution Partners
•Safenet
•Vormetric
•Server General
•Filesystem Solutions
–Great if using several technologies alongside MongoDB
•Want to standardize on a single encryption platform
–If you require protection against privileged users such as root
–Certified Filesystem Solution Partners
•Safenet
•Vormetric
•Server General
More Data Protection Alternatives
•Encrypted Disks
•Tokenization
–Involves additional hop to tokenization software
–Sensitive data not stored in DB at all
•Application Encryption
–Cannot easily leverage database indexes
–Only applicable if not looking up by sensitive data
•Encrypted Disks
•Tokenization
–Involves additional hop to tokenization software
–Sensitive data not stored in DB at all
•Application Encryption
–Cannot easily leverage database indexes
–Only applicable if not looking up by sensitive data
Questions?
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 2,060
- Slides 19
- Favorites 3
- Age 3561 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views