Using Fortanix Data Security Manager with MongoDB Encryption at Rest - Windows

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Mongo Database (MongoDB) for built-in encryption at rest.

2.0 Fortanix DSM with MongoDB

Data at rest refers to information stored on non-volatile media, such as hard drives or solid-state Drives (SSDs). Ensuring the security of this data is of paramount importance, especially in today's data-driven world. MongoDB, a popular NoSQL database, provides various mechanisms to protect your data at rest on a Windows platform.

Encryption is the first line of defense for securing data at rest. MongoDB offers built-in encryption at rest using WiredTiger encryption. To enable this feature, you must set up encryption key management and configure your MongoDB instance to use encryption.

3.0 Product Version Tested

The following product versions were tested:

• MongoDB Enterprise version 7.0.6.

• Fortanix DSM version 4.23.

4.0 Prerequisites

Ensure the following:

• Fortanix DSM is accessible. Refer to Section 5.1: Signing Up and Section 5.2: Creating an Account.

• Install OpenSSL on your Windows Server.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

5.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, click the copy icon next to the app UUID to copy it to use in Section 5.6: Generating the Certificate as the value of Common Name (CN) to generate a self-signed certificate and a private key.

5.6 Generating the Certificate

Perform the following steps to generate a self-signed certificate or CA certificate such that the CN contains the app UUID:

Run the following command to generate a client certificate using OpenSSL:

openssl req -newkey rsa:2048 -nodes -keyout mongotest.key -x509 -days 365 -out mongotest.pem

The system will prompt you to enter Country Name, State or Provinence Name, Locality Name, and so on.

It will also prompt you to enter the Common Name. Enter the app UUID as copied in Section 5.5: Copying the App UUID as the value for the CN.

5.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 5.4: Creating an Application and click Change authentication method and select the Certificate option to change the authentication method to Certificate.

2. Click SAVE.

3. On the Add certificate dialog box, click UPLOAD NEW CERTIFICATE to upload the certificate file mongotest.pem or paste the content of the certificate generated in previous section.

4. Select both check boxes to confirm your understanding of the action.

5. Click UPDATE to save the changes.

6.0 Configuring Encryption in MongoDB Windows

Perform the following steps:

1. Run the following command to convert the certificate in PFX Format.

   openssl pkcs12 -export -out mongotest.pfx -inkey mongotest.key -in mongotest.pem

   

2. Copy the mongotest.pfx file to the Windows Server machine where MongoDB is installed.

3. Run the following command to import the mongotest.pfx file to the Windows Server to the trusted store:

   certutil.exe -importpfx -f -p  <Password for the PFX>.\ mongotest.pfx

   Where, mongotest.pfx is the PFX file.

   

4. Run the following command to import the root certificate for the Fortanix DSM to the Windows Certificate Trust:

   certutil.exe -addstore -f Root .\RootCA.pem

   

5. After the certificate is imported, open the Windows Certificate Store and go to Personal → Certificates.
   You will find the certificate imported above.

   

6. Click the certificate and go to the details. You will find the thumbprint of the certificate.

   

7. Capture the thumbprint and run the following command from MongoDB:

   mongod --enableEncryption --kmipServerName integrationtest.eastus.cloudapp.azure.com --kmipPort 5696 --kmipClientCertificateSelector thumbprint=aobe20e64bcf04a674676f122h6g876 --dbpath D:\DBA

   Output:

   

   You can add -vvvvv at the end of the command to run the same command in debug mode.

8. This will create a Security-object in Fortanix DSM.

   

9. Verify the key operations using the Activity Logs.

   

7.0 Mongo Master Key Rotation

Perform the following steps:

1. Run the following command to process key rotation within MongoDB:

   mongod --enableEncryption --kmipServerName integrationtest.eastus.cloudapp.azure.com --kmipPort 5696 --kmipClientCertificateSelector thumbprint=28885b9c95b999b342da9ba9f4ac9bcdffa0e52b --dbpath D:\DBA –kmipRotateMasterKey

2. After the command runs successfully a key would be created within Fortanix DSM: