When does MongoDB encrypt the database key for each database?

MongoDB University M310: MongoDB Security
#1

The video tells that each mongodb database has a database key for encryption and that database key is encrypted by the master encryption key.
The question is that when is that master key called to encrypt or decrypt the database key?
Is it at everytime when the mongod process has to write any data or update any data to the datafiles?
Or is it at the start of the mongod process only?
Or anything else?

Also, if it is required only at the start of the mongod process only, then does it mean that the database key is in clear text in the memory always so that it can be used to encrypt and decrypt the incoming new data?

1 Like
#2

If I know anything about encryption, this is probably when it happens :slight_smile: Yeah, during bootup of Mongo the master key is used to make the database key usable which is then retained in memory. … which also makes me wonder whether one could dump that key from memory space as an attack.

This warrants investigation :slight_smile:

EDiT:
Oh nice! We can use HSMs, like the Thales nShield range, to secure the master keys. That’s ace. Sauce, which refers to the certified partners list.

EDIT:

It’s something, but not what you were looking for. Meh. Sauce.

Will keep looking.

EDIT:
Also interesting, but still not the definitive answer

EDIT:
This here’s a useful blog post that details a lot.

#3

@Tess_Sluijter Thanks for the posting and the links !

@inkitm
I think the following provides some understanding to the “when” of encryption. I’ll see what else I can find out.

Encryption is performed at the page level to provide optimal performance. Instead of having to encrypt/decrypt the entire file or database for each change, only the modified pages need to be encrypted or decrypted.

The database keys are internal to the server and are only paged to disk in an encrypted format. MongoDB never pages the master key to disk under any circumstances.

Only the master key is external to the server (i.e. kept separate from the data and the database keys), and requires external management. To manage the master key, MongoDB’s encrypted storage engine supports two key management options:

  • Integration with a third party key management appliance via the Key Management Interoperability Protocol (KMIP). Recommended
  • Local key management via a keyfile.
1 Like
#4

When is that master key called to encrypt or decrypt the database key?

The master key is acquired at startup from the KMIP server. It’s used to encrypt/decrypt a store of per-database keys. When a new database is created, a key is generated and inserted into the keystore.

Is it at everytime when the mongod process has to write any data or update any data to the datafiles?
Or is it at the start of the mongod process only?
Or anything else?

It’s whenever the server needs to manipulate persisted key material.

Also, if it is required only at the start of the mongod process only, then does it mean that the database key is in clear text in the memory always so that it can be used to encrypt and decrypt the incoming new data?

Both sets of keys may be in clear text in memory. We invoke OS specific mechanisms to prevent regions of memory which contain keys from being persisted to disk. ESE is intended to provide protection against adversaries with access to stolen harddisks or datafiles, rather than OS-level administrative privileges.

1 Like
#5

Thanks for your explanation @dschupp! Appreciate it :slight_smile:

#6

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.