Using Fortanix Data Security Manager with MongoDB Encryption at Rest - Windows

  • Updated on Mar 12, 2025
  • Published on Jun 19, 2024
  • 5 minute(s) read

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with MongoDB for built-in encryption at rest.

2.0 Fortanix DSM with MongoDB

Data at rest refers to data that is stored on non-volatile media, such as hard drives or solid-state Drives (SSDs). Ensuring the security of this data is of paramount importance, especially in today's data-driven world. MongoDB, a popular NoSQL database, provides various mechanisms to protect your data at rest on a Windows platform.

Encryption is the first line of defense for data at rest security. MongoDB offers built-in encryption at rest using WiredTiger encryption. To enable this feature, you will need to set up encryption key management and configure your MongoDB instance to use encryption.

3.0 Product Version Used for Testing

  • Fortanix has tested this integration on MongoDB Enterprise version 7.0.6.

  • Fortanix has tested this integration on DSM version 4.23.

4.0 Prerequisites

Ensure the following:

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

Figure 1: Logging In

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

    Figure 2: Add Groups

  2. On the Adding new group page, enter the following details:

    • Title: Enter a title for your group.

    • Description (optional): Enter a short description for the group.

  3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

    Figure 3: Add Application

  2. On the Adding new app page, enter the following details:

    • App name: Enter the name of your application.

    • ADD DESCRIPTION (optional): Enter a short description for the application.

    • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

    • Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

  3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

5.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the app created in the Section 5.4: Creating an Application to go to the detailed view of the app. 

  2. From the top of the app’s page, copy the app UUID to be used in Section 5.6: Generating the Certificate as the value of Common Name (CN) to generate a self-signed certificate and a private key.

MongoDB-AppUUID.png

Figure 4: App UUID

5.6 Generating the Certificate

Perform the following steps to generate a self-signed certificate or CA certificate such that the CN contains the app UUID:

  1. Run the following command to generate a client certificate using OpenSSL:

    openssl req -newkey rsa:2048 -nodes -keyout mongotest.key -x509 -days 365 -out mongotest.pem

    The system will prompt you to enter Country Name, State or Provinence Name, Locality Name, and so on.
    It will also prompt you to enter the Common Name. Enter the app UUID that you copied in the previous Section 5.5: Copying the App UUID as the value for the CN.

    Fig4.png

    Figure 5: Generate Certificate

5.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

  1. Go to the detailed view of the app created in Section 5.4: Creating an Application and click the Change the authentication method button and select the Certificate option to change the authentication method to Certificate.

  2. Click the SAVE button.

  3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file mongotest.pem or paste the content of the certificate generated in previous section.

  4. Select both the check boxes to confirm your understanding about the action.

  5. Click the UPDATE button to save the changes.

6.0 Configuring Encryption in MongoDB Windows

Perform the following steps:

  1. Run the following command to convert the certificate in PFX Format.

    openssl pkcs12 -export -out mongotest.pfx -inkey mongotest.key -in mongotest.pem
    Fig6.png

    Figure 6: Convert Cert to PFX

  2. Copy the mongotest.pfx file to the Windows Server machine where MongoDB is installed.

  3. Run the following command to import the mongotest.pfx file to the Windows Server to the trusted store.

    certutil.exe -importpfx -f -p  <Password for the PFX>.\ mongotest.pfx

    Where, mongotest.pfx is the PFX file.

    Fig7.png

    Figure 7: Import PFX file to Windows server

  4. Run the following command to import the root certificate for the Fortanix DSM to the Windows Certificate Trust:

    certutil.exe -addstore -f Root .\RootCA.pem
    Fig8.png

    Figure 8: Import root certificate

  5. After the certificate is imported, open the Windows Certificate Store and go to Personal → Certificates.
    You will find the certificate imported above.

    Fig9.png

    Figure 9: Certificate Imported

  6. Click the certificate and go to the details. You will find the thumbprint of the certificate as shown below.

    Fig10.png

    Figure 10: Certificate Thumbprint

  7. Capture the thumbprint and run the following command from MongoDB.

    mongod --enableEncryption --kmipServerName integrationtest.eastus.cloudapp.azure.com --kmipPort 5696 --kmipClientCertificateSelector thumbprint=aobe20e64bcf04a674676f122h6g876 --dbpath D:\DBA

    Output:

    Fig11.png

    Figure 11: Certificate Thumbprint

    You can add -vvvvv at the end of the command to run the same command in debug mode.

  8. This will create a Security-object in Fortanix DSM as shown below.

    Fig12.png

    Figure 12: Security Object Created

  9. Verify the key operations using the Activity Logs.

    Fig13.png

    Figure 13: Activity Loss for Key Operations

7.0 Mongo Master Key Rotation

Perform the following steps:

  1. Run the following command to process key rotation within MongoDB.

    mongod --enableEncryption --kmipServerName integrationtest.eastus.cloudapp.azure.com --kmipPort 5696 --kmipClientCertificateSelector thumbprint=28885b9c95b999b342da9ba9f4ac9bcdffa0e52b --dbpath D:\DBA –kmipRotateMasterKey

  2. After the command runs successfully a key would be created within Fortanix DSM as shown in the below:  

    Fig14.png

    Figure 14: Key Rotation

Related articles