Using Fortanix Data Security Manager for MongoDB Encryption at Rest - Linux

1.0 Introduction

MongoDB Enterprise version supports the encryption of data at rest. The data encryption process involves generating a master key which is the root of the key hierarchy of various keys used by MongoDB.

Cryptographically secure generation and secure management of this master key are required for the true security of data at rest encrypted by MongoDB. Fortanix Data Security Manager with its KMIP support provides a secure and flexible solution for this.

MongoDB supports KMIP and it authenticates to a KMIP enabled key management server using a client certificate. Fortanix-Data-Security-Manager (DSM) supports clients/apps to authenticate using API Key, app ID, and certificate or just certificate. In this article, we will describe how to set up an app in Fortanix DSM for MongoDB to integrate with Fortanix DSM.

MongoDB Enterprise do not support AES256-GCM on Windows. For more information, refer to the MongoDB documentation.

2.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

2.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

2.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

2.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

2.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 2.3: Creating a Group from the list.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

2.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the app created in the Section 2.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, copy the app UUID to be used in Section 2.6: Generating the Certificate as the value of Common Name (CN) to generate a Certificate Signing Request (CSR).

2.6 Generating the Certificate

You can generate a self-signed certificate such that the CN contains the app ID.

1. Change directory to SDKMS_Certs and generate a self-signed certificate using the following command:

   openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out certificate.crt

   

   

2. Examine the subject in the certificate to verify it contains the app ID as CN. A correctly generated certificate should look as follows (note the value of CN).

   Certificate:
       Data:
           Version: 3 (0x2)
           Serial Number: 11285796284824083476 (0x9c9f33ed245cdc14)
       Signature Algorithm: sha256WithRSAEncryption
           Issuer: C=US, ST=CA, L=Mountain View, O=Fortanix, OU=Test, CN=da7f2800-4122-4681-aebf-90beb779b73f/[email protected]
           Validity
               Not Before: Aug  8 23:31:20 2018 GMT
               Not After : Aug  8 23:31:20 2019 GMT
           Subject: C=US, ST=CA, L=Mountain View, O=Fortanix, OU=Test, CN=da7f2800-4122-4681-aebf-90beb779b73f/[email protected]
           Subject Public Key Info:
               Public Key Algorithm: rsaEncryption
                   Public-Key: (2048 bit)
                   Modulus:
                       00:d2:ae:15:66:bf:78:d4:98:f4:4d:a5:57:bf:04:
                       08:76:83:1f:40:e8:8b:c4:da:8a:a0:71:22:43:84:
                       6d:c9:05:f2:81:91:83:04:75:bd:c9:83:86:92:bf:
                       ff:a0:e4:b4:e4:ee:56:09:10:2a:dc:e2:f4:0c:65:
                       43:96:a1:31:0d:15:92:49:87:ee:46:91:5d:f1:8c:
                       61:b3:ca:4a:9f:be:01:00:d5:30:5f:ee:56:35:75:
                       3c:e1:0d:a6:34:66:7f:3b:26:69:97:33:6d:2e:c7:
                       fd:c9:42:7d:14:f7:12:18:4a:5b:a6:90:52:7a:4b:
                       1b:45:b3:79:33:31:99:03:1d:a4:ed:51:dc:7b:43:
                       20:02:bb:08:22:27:27:8c:51:6a:5f:59:87:45:95:
                       d7:f3:ca:fa:30:3d:d5:a6:50:77:03:e3:de:eb:30:
                       17:45:48:fe:5b:76:d4:c1:03:3f:b8:99:73:ae:ad:
                       ae:e2:69:95:e2:14:1e:42:b1:ac:72:cd:0b:c6:01:
                       e3:20:8d:5a:6a:5d:19:79:17:f0:80:5f:75:fc:d5:
                       da:9c:af:07:d8:c7:96:02:a5:94:19:64:d7:9a:e4:
                       56:f1:cf:54:b9:a7:29:28:22:52:f2:c4:8a:97:04:
                       45:b1:9b:b5:4f:c0:18:53:ff:08:3f:3b:81:bd:f1:
                       d1:e9
                   Exponent: 65537 (0x10001)
           X509v3 extensions:
               X509v3 Subject Key Identifier: 
                   87:65:C6:B6:B6:3A:0A:A6:30:BA:CB:D2:27:9E:C4:E6:2E:7F:2F:6D
               X509v3 Authority Key Identifier: 
                   keyid:87:65:C6:B6:B6:3A:0A:A6:30:BA:CB:D2:27:9E:C4:E6:2E:7F:2F:6D
   
               X509v3 Basic Constraints: 
                   CA:TRUE
       Signature Algorithm: sha256WithRSAEncryption
            71:da:8c:da:ab:9d:6d:8a:f1:9c:56:a9:7d:e2:e2:1b:fd:90:
            b7:5e:45:db:d4:69:47:ca:98:2f:b0:3b:2c:1f:49:3a:75:dd:
            1d:96:b3:bd:11:a6:d7:06:60:4f:18:11:e1:cf:db:5c:52:03:
            29:78:47:6e:36:c0:64:d8:4d:34:00:d9:94:55:48:a9:d4:b2:
            b2:ed:b8:13:fc:3d:c6:b4:61:a3:56:aa:9d:73:80:62:38:da:
            0c:94:b0:4a:e6:86:da:6a:f9:aa:f3:a4:3c:48:32:93:f7:d3:
            27:f9:2c:77:b4:91:9c:84:62:96:86:7d:d2:c8:20:79:d1:12:
            ef:f0:cc:15:31:ea:86:e9:b4:02:00:55:83:0f:6a:c6:5b:d2:
            19:67:9b:b2:44:f8:3b:36:f9:b0:02:b2:98:7d:1e:fa:95:58:
            92:92:57:68:f8:56:bb:43:db:01:08:bb:d6:ab:52:e6:c7:88:
            7a:1c:8d:f4:31:90:70:0a:dd:d2:96:7c:8b:93:8f:1f:4a:80:
            fe:3a:f8:df:82:a7:99:ac:2f:e8:02:e5:8b:fe:ec:3b:3b:0a:
            a3:c0:82:4d:f7:93:66:a1:76:6f:fa:c2:19:8e:d8:b6:b4:27:
            8c:57:22:a4:f7:e6:45:61:27:af:fc:5f:51:88:eb:32:

2.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 2.4: Creating an Application and click the Change the authentication method button and select the Certificate option to change the authentication method to Certificate.

2. Click the SAVE button.

3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in previous section.

4. Select both the check boxes to confirm your understanding about the action.

5. Click the UPDATE button to save the changes.

3.0 Configuring Encryption in MongoDB

You need to start MongoDB with the options to configure encryption and point it to Fortanix DSM as the key manager. MongoDB will use the certificate you created in the earlier step to authenticate to Fortanix DSM.

NOTE

• If you already have data in MongoDB then starting MongoDB with encryption enabled will not work.

• The certificate needs to be in PEM format.

• It needs the private key and certificate to be concatenated together in one file.

Copy your private key followed by a certificate in a file, say client.pem. It should look as follows

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC5/MzwY4GcIkyU
……………………………………………………………………………………………………………………………………………………………………….
9R9EpY5ob2xaorfyEDZR2A==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEUTCCAzmgAwIBAgIJAJxAy7ghYZjwMA0GCSqGSIb3DQEBCwUAMIG+MQswCQYD
……………………………………………………………………………………………………………………………………………………………………….
7Do/CpP2WqIk5uojq4SO5Z+/8zs0rzVNwYaKnyMSmxO+c3bC4guYB/vdEcT1wXzy
bDh/HRo=
-----END CERTIFICATE-----

To start MongoDB with encryption enabled and use a new master key, start with the following options:

/usr/bin/mongod --enableEncryption --kmipServerName   --kmipPort 5696 --kmipServerCAFile SDKMS_CA.pem --kmipClientCertificateFile client.pem

Explanation of parameters:

For more details on MongoDB encryption at rest and other configuration options, refer to MongoDB Manual.

Once MongoDB starts and connects to Fortanix DSM successfully, it will request Fortanix DSM to generate a master key (AES-256). You can check this in Fortanix DSM WebUI under the Security Objects page. Every time, MongoDB is restarted it will retrieve the value of Master Key from Fortanix DSM after authenticating with it. With Fortanix DSM you will see a complete audit trail if every time this master key is retrieved. You will also have complete control over the master key and you can revoke access to the key or disable it, in case you want to lock down your data at rest.

The following screenshot shows the activity logs for the MongoDB application and an audit trail of the master key usage.