Donghua's Blog - DBAGlobe: MongoDB - Update replica set nodes to enable encrypted storage engine with local key

Thursday, November 17, 2016

MongoDB - Update replica set nodes to enable encrypted storage engine with local key

# Replication set without disk encryption:

mongod --dbpath /home/donghua/LAB4/r0 --logpath /home/donghua/LAB4/r0/mongo.log --port 31250 --replSet UNENCRYPTED --fork

mongod --dbpath /home/donghua/LAB4/r1 --logpath /home/donghua/LAB4/r1/mongo.log --port 31251 --replSet UNENCRYPTED --fork

mongod --dbpath /home/donghua/LAB4/r2 --logpath /home/donghua/LAB4/r2/mongo.log --port 31252 --replSet UNENCRYPTED --fork

# Create the base64 encoded keyfile with the 32 character string

openssl rand -base64 32 > /home/donghua/LAB4/mongodb-keyfile

chmod 600 /home/donghua/LAB4/mongodb-keyfile

# Start rolling encryption with first secondary (r1)

mongo -port 31251

MongoDB Enterprise UNENCRYPTED:SECONDARY> db.getSisterDB('admin').shutdownServer()

# Cleanup is required, otherwise following error message expected:

# E STORAGE [initandlisten] Unable to retrieve key .system, error: There are existing data files, but no valid keystore could be located.

# [initandlisten] Fatal Assertion 28561

rm -rf /home/donghua/LAB4/r1/*

To use the key file, start mongod with the following options:

mongod --dbpath /home/donghua/LAB4/r1 --logpath /home/donghua/LAB4/r1/mongo.log --port 31251 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/donghua/LAB4/mongodb-keyfile

# Continue rolling encryption with second secondary (r2)

mongo -port 31252

MongoDB Enterprise UNENCRYPTED:SECONDARY> db.getSisterDB('admin').shutdownServer()

rm -rf /home/donghua/LAB4/r2/*

To use the key file, start mongod with the following options:

mongod --dbpath /home/donghua/LAB4/r2 --logpath /home/donghua/LAB4/r2/mongo.log --port 31252 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/donghua/LAB4/mongodb-keyfile

# Finally rolling encryption with primary (r0)

mongo -port 31250

MongoDB Enterprise UNENCRYPTED:PRIMARY> rs.stepDown()

MongoDB Enterprise UNENCRYPTED:SECONDARY> db.getSisterDB('admin').shutdownServer()

rm -rf /home/donghua/LAB4/r0/*

To use the key file, start mongod with the following options:

mongod --dbpath /home/donghua/LAB4/r0 --logpath /home/donghua/LAB4/r0/mongo.log.log --port 31250 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/donghua/LAB4/mongodb-keyfile

Donghua's Blog - DBAGlobe

Thursday, November 17, 2016

MongoDB - Update replica set nodes to enable encrypted storage engine with local key

No comments:

Post a Comment

Disclaimer

Labels

Blog Archive

Search This Website

Tweets by Me