top of page

How to Enable MongoDB Encryption at Rest using Azure Customer-Managed Keys (CMK)

Atlas encrypts all cluster storage and snapshot volumes at rest by default. We can add another layer of security by using cloud provider's KMS together with the MongoDB encrypted storage engine.


In this use case we will use key that resides inside an Azure Key Vault, to encryption at rest in MongoDB.


Step 1: Query hostname IPs of database inside MongoDB clusters

In MongoDB cluster, there are multiple databases. For each database we have different hostnames depending on how many nodes are there. Let us consult the IPs of the nodes for the database that we want to encrypt using Azure CMK.

We execute command in MongoShell connecting to the database.

rs.conf()

For example, in this use case we have a database named 'GTS_DEV_INCOCO_01'. We connect to Mongo Shell and run the command rs.conf().  This command will list hostnames of all nodes in the cluster.


Next, we can query the IPs of each hostname using the nslookup command.

Step 2: Query IPs of MongoDB Control Plane components

IPs of MongoDB control plane components can be inbound and outbound. To get these IPs execute the following command:

curl -X GET --digest --header "Accept: application/vnd.atlas.2023-11-15+json" --header  "Content-Type: application/json" --request GET  "https://cloud.mongodb.com/api/atlas/v2/unauth/controlPlaneIPAddresses?pretty=true"

Step 3: Establish the connection with Azure Key Vault and MongoDB Atlas 

First, to encrypt database in MongoDB by Microsoft Azure CMK, we need to enable the connection between Azure Key Vault and MongoDB cluster. 


In this use case the Azure Key Vault is not enabled for all public connections. The firewall is enabled at the Key Vault level which only allows certain IPs or Virtual Networks to access keys or secrets inside the Key Vault.


In this case we need to add 3 types of IPs in this KeyVault firewall:

3.1. IP addresses of hostnames of the database clusters (that we queried in the Step 1)

3.2. Outbound IPs of Azure (IPs of control plane components of MongoDB that we queried in Step 2) In this case we need to add the following IPs: 20.53.104.226/32 

20.84.232.59/32 

20.24.112.135/32 

20.96.47.95/32 

20.105.25.17/32 

20.212.99.191/32 

52.149.111.83/32 

40.112.209.0/32 

3.3. Inbound  IPs of Azure (IPs of control plane components of MongoDB that we queried in Step 2) In this case we need to add the following IPs: 34.237.40.31 

Go to the option 'Networking' in the Azure Key Vault and in the 'Firewall' section let us add the IPs.


Step 4: Update the Access policy of the Azure Key Vault 

We are going to update 'Encrypt' and 'Decrypt' permissions in Azure Key Access Policies of the Key Vault for that particular SPN. For that in Azure Key Vault, go to the 'Access Policies' option and add permissions for Encrypt and Decrypt for the SPN AppID which we are going to use in the future steps.



Step 5: Configure Azure CMK in teh database settings of MongoDB To configure Azure CMK in MongoDB, go to the database in MongoDB (in this case GTS_DEV_INCOCO_01) 'Security -> Advanced' option. 


We enable the 'Encryption at Rest using your Key Management' option. We select the 'AZURE KEY VAULT' option. And we fill in the following details:


-- Account Credentials 

Client ID (in this case AppID of SPN) 

Tenant ID 

Secret 

-- Key Vault Credentials 

Subscription ID 

Resource Group Name 

Key Vault Name

-- Encryption Key 

Key Identifier 


Save the changes, clicking in the 'Save'.



Step 6: Activate the key for encryption at rest 

To activate the Azure CMK key to encrypt, enter the database cluster configuration, in this example 'incoco-dev-weu-clu01'. In 'Additional Settings' enable the 'Manage your own encryption keys' option and from the menu select 'Azure Key Vault'.

'Review' y 'Apply'.


VALIDATION: 

Check the database snapshots, 'Encryption Key ID' must be enabled with the Azure KEY ID value.


REFERENCES: 

14 views0 comments

Comments


bottom of page