mongodb数据库加密
Database security is a key factor for any application that includes very sensitive data, such as financial and health reports.
对于任何包含非常敏感的数据(例如财务和运行状况报告)的应用程序,数据库安全性都是关键因素。
Data protection can be achieved through encryption at various levels, from the application itself to the files containing the data.
从应用程序本身到包含数据的文件,可以通过不同级别的加密来实现数据保护。
Since MongoDB is a non-relational database, there is no need to define columns before inserting data; and therefore documents in the same collection may have different fields from one another.
由于MongoDB是非关系数据库,因此无需在插入数据之前定义列。 因此,同一集合中的文档可能具有彼此不同的字段。
On the other hand, for SQL DBMS, it is necessary to define columns for data, so all rows have the same columns. You can decide to encrypt individual columns, the entire database file, or application data before participating in the database process.
另一方面,对于SQL DBMS ,有必要为数据定义列,因此所有行都具有相同的列。 您可以决定在参与数据库过程之前对单个列,整个数据库文件或应用程序数据进行加密。
Encryption of individual columns is preferable because it is cheaper and less data is encrypted, which increases the latency. In general, the overall performance affects the encryption result.
最好对各个列进行加密,因为它更便宜并且加密的数据更少,这会增加延迟。 通常,整体性能会影响加密结果。
However, for DBMS NoSQL this approach will not be the best option. Considering that not all documents can have all fields that you want to use in your encryption, column-level encryption cannot be done.
但是,对于DBMS NoSQL,此方法将不是最佳选择。 考虑到并非所有文档都可以具有要在加密中使用的所有字段,因此无法进行列级加密。
Application-level data encryption is quite expensive and difficult to implement. That is why we are left with the option to encrypt data at the database level.
应用程序级数据加密非常昂贵且难以实现。 这就是为什么我们可以选择在数据库级别加密数据的原因。
MongoDB provides built-in encryption, which requires no extra cost to protect your confidential data.
MongoDB提供内置的加密功能,无需额外费用即可保护您的机密数据。
MONGODB中的数据加密 (DATA ENCRYPTION IN MONGODB)
Any operation with a database includes either of these two forms of data: data at rest or data on the move.
对数据库的任何操作都包括以下两种数据形式之一:静态数据或移动数据。
Data on the move is the flow of data passing through any network, while data at rest is static, so it does not move anywhere.
移动中的数据是通过任何网络传递的数据流,而静态数据是静态的,因此它不会在任何地方移动。
Both of these two types of data are subject to external intervention by anonymous users unless encryption is used. The encryption process involves:
除非使用加密,否则这两种类型的数据都将受到匿名用户的外部干预。 加密过程涉及:
- Generation of the master key for the entire database 生成整个数据库的主密钥
- Generation of unique keys for each database为每个数据库生成唯一密钥
- Encrypt your data with the database keys that you generated使用生成的数据库密钥加密数据
- Encrypt the entire database with the master key用主密钥加密整个数据库
传输过程中的数据加密(DATA ENCRYPTION DURING TRANSMISSION)
There are two ways to transfer data between MongoDB and the server application: via Transport Layer Security (TLS) and Secure Socket Layer Protocol (SSL).
在MongoDB和服务器应用程序之间传输数据的方式有两种:通过传输层安全性(TLS)和安全套接字层协议(SSL)。
These two encryption protocols are most often used to protect sent and received data between the two systems. Essentially, the concept is to encrypt connections to mongod and mongos instances so that network traffic is read-only by the intended client.
这两种加密协议最常用于保护两个系统之间的发送和接收数据。 本质上,此概念是对与mongod和mongos实例的连接进行加密,以使目标客户端只能读取网络流量。
TLS/SSL is used in MongoDB with some certificates in the form of PEM files that are issued by a certificate authority or can be a self-signed certificate. The latter has a limitation in that despite the fact that the communication channel is encrypted, the identity verification of the server is not always verified, therefore it is vulnerable to external attacks halfway through. Thus, it is recommended to use trusted authority certificates, which allow MongoDB drivers to verify the server authenticity as well.
TLS / SSL在MongoDB中与由证书颁发机构颁发的PEM文件形式的某些证书一起使用,或者可以是自签名证书。 后者的局限性在于,尽管对通信通道进行了加密,但并不总是对服务器的身份验证进行验证,因此它很容易受到中途外部攻击的攻击。 因此,建议使用受信任的权威证书,该证书还允许MongoDB驱动程序也验证服务器的真实性。
Besides encryption, TLS/SSL can be used for client authentication and internal authentication of the replica set members and segmented clusters through certificates.
除加密外,TLS / SSL还可以用于客户端身份验证以及通过证书对副本集成员和分段群集进行内部身份验证。
客户端的TLS / SSL配置 (TLS/SSL CONFIGURATION FOR CLIENTS)
There are various TLS / SSL settings that can be used when configuring these protocols.
配置这些协议时,可以使用各种TLS / SSL设置。
For example, if you want to connect to a Mongod instance using encryption, you must run your instance as follows:
例如,如果要使用加密连接到Mongod实例,则必须按以下方式运行实例:
- Database security is a key factor for any application that includes very sensitive data, such as financial and health reports. Data protection can be achieved through encryption at various levels, from the application itself to the files containing the data. 对于任何包含非常敏感的数据(例如财务和运行状况报告)的应用程序,数据库安全性都是关键因素。 从应用程序本身到包含数据的文件,可以通过不同级别的加密来实现数据保护。
- Since MongoDB is a non-relational database, there is no need to define columns before inserting data; and therefore documents in the same collection may have different fields from one another. 由于MongoDB是非关系数据库,因此无需在插入数据之前定义列。 因此,同一集合中的文档可能具有彼此不同的字段。
On the other hand, for SQL DBMS, it is necessary to define columns for data, so all rows have the same columns. You can decide to encrypt individual columns, the entire database file, or application data before participating in the database process.
另一方面,对于SQL DBMS,有必要为数据定义列,因此所有行都具有相同的列。 您可以决定在参与数据库过程之前对单个列,整个数据库文件或应用程序数据进行加密。
Encryption of individual columns is preferable because it is cheaper and less data is encrypted, which increases the latency. In general, the overall performance affects the encryption result.
最好对各个列进行加密,因为它更便宜并且加密的数据更少,这会增加延迟。 通常,整体性能会影响加密结果。
However, for DBMS NoSQL this approach will not be the best option. Considering that not all documents can have all fields that you want to use in your encryption, column-level encryption cannot be done.
但是,对于DBMS NoSQL,此方法将不是最佳选择。 考虑到并非所有文档都可以具有要在加密中使用的所有字段,因此无法进行列级加密。
Application-level data encryption is quite expensive and difficult to implement. That is why we are left with the option to encrypt data at the database level.
应用程序级数据加密非常昂贵且难以实现。 这就是为什么我们可以选择在数据库级别加密数据的原因。
MongoDB provides built-in encryption, which requires no extra cost to protect your confidential data.
MongoDB提供内置的加密功能,无需额外费用即可保护您的机密数据。
MONGODB中的数据加密 (DATA ENCRYPTION IN MONGODB)
Any operation with a database includes either of these two forms of data: data at rest or data on the move.
对数据库的任何操作都包括以下两种形式的数据之一:静止数据或移动数据。
Data on the move is the flow of data passing through any network, while data at rest is static, so it does not move anywhere.
移动中的数据是通过任何网络传递的数据流,而静态数据是静态的,因此它不会在任何地方移动。
Both of these two types of data are subject to external intervention by anonymous users unless encryption is used. The encryption process involves:
除非使用加密,否则这两种类型的数据都将受到匿名用户的外部干预。 加密过程涉及:
- Generation of the master key for the entire database 生成整个数据库的主密钥
- Generation of unique keys for each database为每个数据库生成唯一密钥
- Encrypt your data with the database keys that you generated使用生成的数据库密钥加密数据
- Encrypt the entire database with the master key用主密钥加密整个数据库
传输过程中的数据加密(DATA ENCRYPTION DURING TRANSMISSION)
There are two ways to transfer data between MongoDB and the server application: via Transport Layer Security (TLS) and Secure Socket Layer Protocol (SSL).
在MongoDB和服务器应用程序之间传输数据的方式有两种:通过传输层安全性(TLS)和安全套接字层协议(SSL)。
These two encryption protocols are most often used to protect sent and received data between the two systems. Essentially, the concept is to encrypt connections to mongod and mongos instances so that network traffic is read-only by the intended client.
这两种加密协议最常用于保护两个系统之间的发送和接收数据。 本质上,此概念是对与mongod和mongos实例的连接进行加密,以使目标客户端只能读取网络流量。
TLS/SSL is used in MongoDB with some certificates in the form of PEM files that are issued by a certificate authority or can be a self-signed certificate. The latter has a limitation in that despite the fact that the communication channel is encrypted, the identity verification of the server is not always verified, therefore it is vulnerable to external attacks halfway through. Thus, it is recommended to use trusted authority certificates, which allow MongoDB drivers to verify the server authenticity as well.
TLS / SSL在MongoDB中与由证书颁发机构颁发的PEM文件形式的某些证书一起使用,或者可以是自签名证书。 后者的局限性在于,尽管对通信通道进行了加密,但并不总是对服务器的身份验证进行验证,因此它很容易受到中途外部攻击的攻击。 因此,建议使用受信任的权威证书,该证书还允许MongoDB驱动程序也验证服务器的真实性。
Besides encryption, TLS/SSL can be used for client authentication and internal authentication of the replica set members and segmented clusters through certificates.
除加密外,TLS / SSL还可以用于客户端身份验证以及通过证书对副本集成员和分段群集进行内部身份验证。
客户端的TLS / SSL配置 (TLS/SSL CONFIGURATION FOR CLIENTS)
There are various TLS / SSL settings that can be used when configuring these protocols.
配置这些协议时,可以使用各种TLS / SSL设置。
For example, if you want to connect to a Mongod instance using encryption, you must run your instance as follows:
例如,如果要使用加密连接到Mongod实例,则必须按以下方式运行实例:
mongo --ssl --host example.com --sslCAFile /etc/ssl/ca.pem
mongo --ssl --host example.com --sslCAFile /etc/ssl/ca.pem
-ssl enables TLS / SSL connection.-sslCAFile specifies a Certificate Authority (CA) per file to verify the certificate submitted by mongod or mongos. Therefore, the Mongo shell will check the certificate issued by the mongod instance by the specified CA file and hostname.
-ssl启用TLS / SSL连接。-sslCAFile为每个文件指定一个证书颁发机构(CA),以验证mongod或mongos提交的证书。 因此,Mongo Shell将通过指定的CA文件和主机名检查mongod实例颁发的证书。
You can also connect a MongoDB instance that requires a client certificate. We use a sample code below
您还可以连接需要客户端证书的MongoDB实例。 我们在下面使用示例代码
mongo --ssl --host hostname.example.com --sslPEMKeyFile /etc/ssl/client.pem --sslCAFile /etc/ssl/ca.pem
mongo --ssl --host hostname.example.com --sslPEMKeyFile /etc/ssl/client.pem --sslCAFile /etc/ssl/ca.pem
The option -sslPEMKeyFile specifies a .pem file that contains a mongo shell certificate and a key to represent to the instance mongod or mongos. During the connection process:
选项-sslPEMKeyFile指定一个.pem文件,其中包含mongo shell证书和代表实例mongod的密钥。 在连接过程中:
The mongo shell will check if the certificate was obtained from the specified certificate authority (-sslCAFile) and if not, the shell will not be able to connect.
mongo Shell将检查证书是否从指定的证书颁发机构(-sslCAFile)获得,否则,它将无法连接。
Secondly, the shell will also check if the hostname specified in -host, SAN/CN on the certificate submitted by mongod or mongos matches. If this hostname does not match either of the two, the connection will not be established.
其次,外壳程序还将检查mongod或mongos提交的证书上的-host,SAN / CN中指定的主机名是否匹配。 如果此主机名与两者都不匹配,则不会建立连接。
If you do not want to use self-signed certificates, you must make sure that the connection network is trusted.
如果不想使用自签名证书,则必须确保连接网络是受信任的。
In addition, you need to reduce the vulnerability of the private key, especially where replica sets/protected clusters are involved. This can be achieved by using different certificates on different servers.
此外,您需要减少私钥的漏洞,尤其是在涉及副本集/受保护的群集的情况下。 这可以通过在不同的服务器上使用不同的证书来实现。
Additional parameters that can be used in connections:
可以在连接中使用的其他参数:
requireSSL : this will limit each server to use only encrypted TLS/SSL connections.
requireSSL :这将限制每个服务器仅使用加密的TLS / SSL连接。
-sslAllowConnectionsWithoutCertificates : this will allow checking only if the client presents a certificate, otherwise, if the client will still connect in encrypted mode. For example:
-sslAllowConnectionsWithoutCertificates :仅当客户端出示证书时,这才允许检查;否则,如果客户端仍将以加密模式进行连接,则将进行检查。 例如:
mongod --sslMode requireSSL --sslAllowConnectionsWithoutCertificates --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem
mongod --sslMode requireSSL --sslAllowConnectionsWithoutCertificates --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem
sslDisabledProtocols : this option prevents servers from accepting incoming connections using specific protocols. This can be done with the help of sslDisabledProtocols:
sslDisabledProtocols :此选项可防止服务器使用特定协议接受传入连接。 这可以在sslDisabledProtocols的帮助下完成:
mongod --sslMode requireSSL --sslDisabledProtocols TLS1_0,TLS1_1 --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem
mongod --sslMode requireSSL --sslDisabledProtocols TLS1_0,TLS1_1 --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem
静态数据加密 (DATA ENCRYPTION AT REST)
Starting with version 3.2, MongoDB introduced a built-in encryption option for the WiredTiger storage mechanism. Access to data in this storage by a third party can only be achieved through the decryption key to decrypt the data in a readable format.
从3.2版开始,MongoDB引入了WiredTiger存储机制的内置加密选项。 第三方只能通过解密密钥以可读格式解密数据来实现对第三方存储设备中数据的访问。
The typically used encryption algorithm in MongoDB is AES256-GCM. It uses the same secret key to encrypt and decrypt the data. The encryption bank is enabled in FIPS mode, ensuring that the encryption meets the highest standards and compliance requirements.
MongoDB中通常使用的加密算法是AES256-GCM。 它使用相同的密钥来加密和解密数据。 加密库以FIPS模式启用,以确保加密符合最高标准和合规性要求。
Files from the entire database are encrypted using Transparent Data Encryption (TDE) at the storage level.
使用透明数据加密(TDE)在存储级别对整个数据库中的文件进行加密。
Whenever a file is encrypted, a unique private encryption key is generated and it’s useful to understand how these keys are managed and stored. All the generated database keys are then encrypted with the master key.
每当对文件进行加密时,都会生成一个唯一的私有加密密钥,这对于了解如何管理和存储这些密钥很有用。 然后,使用主密钥对所有生成的数据库密钥进行加密。
The difference between the database keys and the master key is that the database keys can be stored together with the encrypted data itself, but for the master key MongoDB recommends to store it on a server other than the encrypted data, such as a third-party corporate key.
数据库密钥和主密钥之间的区别在于,数据库密钥可以与加密数据本身一起存储,但是对于主密钥,MongoDB建议将其存储在加密数据以外的服务器上,例如第三方公司密钥。
With replicated data, encryption criteria are not transferred to other nodes, as the data are not encrypted over the network. It is possible to use the same key for nodes, but it is best to use unique individual keys for each node.
对于复制的数据,加密标准不会传输到其他节点,因为不会通过网络对数据进行加密。 可以对节点使用相同的密钥,但是最好为每个节点使用唯一的单个密钥。
加密密钥的旋转 (ROTATION OF ENCRYPTION KEYS)
The managed key used to decrypt sensitive data should be rotated or replaced at least once a year. MongoDB has two options to achieve this.
用于解密敏感数据的托管密钥应每年至少旋转或更换一次。 MongoDB有两种选择可以实现此目的。
KMIP-旋转大师 (KMIP — MASTER OF ROTATIONS)
In this case, only the master key is changed as it is controlled from the outside. The key rotation process is described below.
在这种情况下,只有主密钥可以更改,因为它是从外部进行控制的。 按键旋转过程如下所述。
The main key for additional elements in the replica set is rotated one by one. I.e. the main key of a replica set rotates one by one.
副本集中其他元素的主键被一一旋转。 也就是说,副本集的主键会一一旋转。
mongodenableEncryption --kmipRotateMasterKey \ --kmipServerName <KMIP Server HostName> \ --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem.
mongodenableEncryption --kmipRotateMasterKey \ --kmipServerName <KMIP Server HostName> \ --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem.
After the process is complete, the mongod will finish and you will need to restart the secondary device without the kmipRotateMasterKey parameter.
该过程完成后,mongod将完成,并且您需要在没有kmipRotateMasterKey参数的情况下重新启动辅助设备。
mongodenableEncryption --kmipServerName <KMIP Server HostName> \.--kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem
mongodenableEncryption --kmipServerName <KMIP Server HostName> \. --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem
The primary set of replicas is disabled: using the rs.stepDown() method, the primary one is deactivated, which leads to the selection of a new primary one.
主要副本集被禁用:使用rs.stepDown()方法,主要副本集被停用,从而导致选择新的主要副本集。
Check the nodes state using the rs.status() method and if the primary indicates that it was downgraded, turn its main key. Restart the step-by-step element, including the kmipRotateMasterKey parameter.
使用rs.status()方法检查节点状态,如果主数据库指示已降级,请转动其主键。 重新启动分步元素,包括kmipRotateMasterKey参数。
- mongodenableEncryption –kmipRotateMasterKey \. mongodenableEncryption –kmipRotateMasterKey \。
- –kmipServerName <KMIP Server HostName> \. –kmipServerName <KMIP服务器主机名> \。
- –kmipServerCAFile ca.pem –kmipClientCertificateFile client.pem –kmipServerCAFile ca.pem –kmipClientCertificateFile client.pem
记录 (LOGGING)
MongoDB always works with a log file to record some status or specified information at different time intervals.
MongoDB始终与日志文件配合使用,以在不同的时间间隔记录一些状态或指定的信息。
However, the log file is not encrypted as part of the storage mechanism. This creates a risk that an instance of mongod working with logging may output potentially important data into the log files simply as part of normal log maintenance.
但是,日志文件未作为存储机制的一部分进行加密。 这带来了风险,即作为正常日志维护的一部分,使用日志的mongod实例可能会将潜在的重要数据输出到日志文件中。
Since version 3.4 of MongoDB, there is a security.redactClientLogData parameter which prevents potentially sensitive data from being written to the log of the mongod process. However, this option may complicate the diagnostics of the log.
从MongoDB的3.4版开始,有一个security.redactClientLogData参数,该参数可防止将可能敏感的数据写入mongod进程的日志中。 但是,此选项可能会使日志的诊断复杂化。
mongodb数据库加密