Docs Menu
Docs Home
/
MongoDB Enterprise Kubernetes Operator
/

Configure KMIP Encryption at Rest

On this page

  • Considerations
  • Procedure

You can configure encryption at rest for a MongoDB deployment managed by the Kubernetes Operator by using a KMIP server.

Before configuring encryption at rest, consider the following:

  • You must have a running KMIP server.

  • You can't transition your deployment that uses keyfile-based encryption at rest to KMIP-based encryption at rest.

  • If you want to enable KMIP encryption at rest for an already deployed MongoDB resource, contact MongoDB Support.

The following procedure describes how to configure a sample KMIP configuration for a MongoDB replica set. Adjust the file names and paths, Kubernetes namespace, resource names, and MongoDB version as necessary for your deployment.

1

Run the following command to create a ConfigMap to hold the CA that signed the KMIP server's certificate:

kubectl -n mongodb create configmap mongodb-kmip-certificate-authority-pem --from-file=ca.pem
2

Run the following command to create a secret to hold the concatenated client certificate and private key for checking out the master key from the KMIP server:

kubectl -n mongodb create secret generic mongodb-kmip-client-pem --from-file=cert.pem
3

Configure the additionalMongodConfig settings in your custom resource specification to use the KMIP server. For example:

apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
name: kmip
namespace: mongodb
spec:
type: ReplicaSet
members: 3
backup:
encryption:
kmip:
client:
clientCertificatePrefix: "mdb"
additionalMongodConfig:
security:
enableEncryption: true
kmip:
clientCertificateFile: /kmip/cert/cert.pem
serverCAFile: /kmip/ca/ca.pem
serverName: pykmip-server.pymongo
port: 5696
featureCompatibilityVersion: '6.0'
version: 6.0.14-ent
opsManager:
configMapRef:
name: my-project
credentials: my-credentials
podSpec:
podTemplate:
spec:
containers:
- name: mongodb-enterprise-database
volumeMounts:
- name: mongodb-kmip-client-pem
mountPath: /kmip/cert
- name: mongodb-kmip-certificate-authority-pem
mountPath: /kmip/ca
volumes:
- name: mongodb-kmip-client-pem
secret:
secretName: mongodb-kmip-client-pem
- name: mongodb-kmip-certificate-authority-pem
configMap:
name: mongodb-kmip-certificate-authority-pem
items:
- key: ca.pem
path: ca.pem

Important

If you set the spec.backup.encryption.kmip setting in your resource, the API keys linked with the value of spec.credentials must have the Global Owner role.

Back

Configure Encryption

Next

Enable Authentication