Is there anyway I can show how mongodump
and mongorestore
implement Data at Rest Encryption?
I have a local DB and a folder with the backup of all the collections. I've read from here that MongoDB utilizes AES encryption algorithm. Being a symmetric key encryption I know that a unique private key should be generated but I'm not sure how it actually works with mongodump
and mongorestore
.
Any resource to help me understand this process would be appreciated.
As a follow up, if I ever want to backup my DB with a different encryption algorithm, would it be possible?
CodePudding user response:
Mongodump and mongorestore access the data store in MongoDB the same way your application does: by using a driver that connects to the database server to send queries.
Data is encrypted in transit using TLS, if the server is configured to require it.
On the server side, the mongod generates a key per database that is used to encrypt the data, then encrypts those database keys using the master key, and stores them locally with the metadata. The master key should be stored in a KMIP service.
On the client side, mongodump does not encrypt the data when writing. This means that if you need the backup to be encrypted, you will need to encrypt the backup files after the backup completes.
If the application uses field-level encryption, the field contents are encrypted on the client side before being sent to the database for storage. The database server is not capable of decrypting those, so that data would still be encrypted in the backup.