Date post: | 25-Jul-2015 |
Category: |
Technology |
Upload: | mongodb |
View: | 156 times |
Download: | 2 times |
The Agenda
➔ Why MongoDB needs an Encrypted Storage Engine.
➔ Dissecting the Encrypted Storage Engine.
➔ Answering any questions.
The Agenda
➔ Why MongoDB needs an Encrypted Storage Engine.
➔ Dissecting the Encrypted Storage Engine.
➔ Answering any questions.
storage integration layer
other layers: sharding, replication, query
execution, network, etc.
MongoDB has multiple layers.
storage integration layer
other layers: sharding, replication, query
execution, network, etc.
storage engine
Storage engine manages on-disk layout.
Encryption is FIPS 140-2 Compliant.
How does an Encrypted Storage Engine benefit you?
Compatible with Compression.
Encryption is FIPS 140-2 Compliant.
How does an Encrypted Storage Engine benefit you?
Compatible with Compression.
May help achieve compliance with:
SOX
ISO 27001
GLBA
HIPAA/HITECH
PCI
FERPA
PII
How do you start using Encrypted Storage Engines in your deployment?
➔ Targeted for upcoming release.
➔ Available in MongoDB Enterprise Advanced.
➔ Must be using WiredTiger storage engine.
➔ Performance hit relative to unencrypted system.
The Agenda
➔ Why MongoDB needs an Encrypted Storage Engine.
➔ Dissecting the Encrypted Storage Engine.
➔ Answering any questions.
MongoDB
Storage Integration Layer
WiredTiger
Various MongoDB Layers
WT Configuration Options
WT MetadataWrite-Ahead
Log
One MongoDB database maps to many WiredTiger tables.
db foo
➔ two collections: foo.abc, foo.xyz➔ foo.abc and foo.xyz both have index on _id➔ no additional indexes
One MongoDB database maps to many WiredTiger tables.
WiredTigerdb foo
➔ two collections: foo.abc, foo.xyz➔ foo.abc and foo.xyz both have index on _id➔ no additional indexes
➔ four tables to represent db foo➔ one table per collection➔ one table per index
MongoDB
Storage Integration Layer
Various MongoDB Layers
Encryption Key Manager
WiredTiger
WT Configuration Options
WT MetadataWrite-Ahead
Log
Encryption Key Manager
Key API
External Key Storage
What does a Key Manager do?
➔ Get Master Key stored externally to MongoDB
Key Management Interoperability Protocol
Key in protected file
What external systems will be supported?
Master Key
One Key Per Database
WiredTiger
WT Configuration Options
What Key Granularity will be supported?
Write-Ahead Log
WT Metadata
Key Manager
Encryption Key Manager
Key API
External Key Storage
What does a Key Manager do?
local.sys.keyids
➔ Get Master Key stored externally to MongoDB
➔ Provide keyids to WiredTiger
➔ AES-256 in GCM mode.➔ Use of OpenSSL EVP encryption routines.➔ Potential to support more algorithms in the future.
Encryption Algorithm Overview
MongoDB
Storage Integration Layer
Various MongoDB Layers
Encryption Key Manager
WiredTiger
WT Configuration Options
WT MetadataWrite-Ahead
Log
MongoDB
Storage Integration Layer
WiredTiger
Various MongoDB Layers
Encryption Key Manager
EncryptionKeys
WiredTiger
WT Configuration Options
WT MetadataWrite-Ahead
Log
* Encrypted with Master Key
➔ Available in an upcoming release!➔ First release focused on WiredTiger.➔ Part of a complete secure, compliant solution.
In Conclusion.
The Agenda
➔ Why MongoDB needs an Encrypted Storage Engine.
➔ Dissecting the Encrypted Storage Engine.
➔ Answering any questions.
Q: How does encryption at rest work with replication?
Secondary
Primary
Secondary
A: Tailing the oplog is done with a query: the data is decrypted, transmitted,
and reencrypted. Please use TLS.