engineering an encrypted storage engine

Engineering an Encrypted Storage Engine

Amalia Hawkins

The Agenda

➔ Why MongoDB needs an Encrypted Storage Engine.

➔ Dissecting the Encrypted Storage Engine.

➔ Answering any questions.

“database”

CC

Cclients

What is Encryption at Rest?

physicalstorageC

CCclients

“database”

Encryption at Rest refers to data on disk.

physicalstorageC

CCclients

“database”

Use TLS for over-the-wire encryption.

What is a Storage Engine?

MongoDB

storage integration layer

other layers: sharding, replication, query

execution, network, etc.

MongoDB has multiple layers.

storage integration layer

other layers: sharding, replication, query

execution, network, etc.

storage engine

Storage engine manages on-disk layout.

Why Encrypt at the Storage Engine Level?

Encryption is FIPS 140-2 Compliant.

How does an Encrypted Storage Engine benefit you?

Compatible with Compression.

Encryption is FIPS 140-2 Compliant.

How does an Encrypted Storage Engine benefit you?

Compatible with Compression.

May help achieve compliance with:

SOX

ISO 27001

GLBA

HIPAA/HITECH

PCI

FERPA

PII

How do you start using Encrypted Storage Engines in your deployment?

➔ Targeted for upcoming release.

➔ Available in MongoDB Enterprise Advanced.

➔ Must be using WiredTiger storage engine.

➔ Performance hit relative to unencrypted system.

The Agenda




MongoDB

Storage Integration Layer

Storage Engine

Various MongoDB Layers

MongoDB


WiredTiger


WT Configuration Options

WT MetadataWrite-Ahead

Log

One MongoDB database maps to many WiredTiger tables.

db foo

➔ two collections: foo.abc, foo.xyz➔ foo.abc and foo.xyz both have index on _id➔ no additional indexes

One MongoDB database maps to many WiredTiger tables.

WiredTigerdb foo

➔ two collections: foo.abc, foo.xyz➔ foo.abc and foo.xyz both have index on _id➔ no additional indexes

➔ four tables to represent db foo➔ one table per collection➔ one table per index

MongoDB



Encryption Key Manager

WiredTiger



Log


Key API

External Key Storage

What does a Key Manager do?

➔ Get Master Key stored externally to MongoDB

Key Management Interoperability Protocol

Key in protected file

What external systems will be supported?

Master Key

One Key Per Database

WiredTiger


What Key Granularity will be supported?

Write-Ahead Log

WT Metadata

Key Manager


Key API

External Key Storage

What does a Key Manager do?

local.sys.keyids

➔ Get Master Key stored externally to MongoDB

➔ Provide keyids to WiredTiger

➔ AES-256 in GCM mode.➔ Use of OpenSSL EVP encryption routines.➔ Potential to support more algorithms in the future.

Encryption Algorithm Overview

MongoDB




WiredTiger



Log

MongoDB


WiredTiger



EncryptionKeys

WiredTiger



Log

* Encrypted with Master Key

Full re-encryption is achieved by bringing up a new replica.

Secondary

Primary

Secondary

➔ Available in an upcoming release!➔ First release focused on WiredTiger.➔ Part of a complete secure, compliant solution.

In Conclusion.

The Agenda




Any Questions?

Thank you so much!

Backup Slides

Q: How does encryption at rest work with replication?

Secondary

Primary

Secondary

A: Tailing the oplog is done with a query: the data is decrypted, transmitted,

and reencrypted. Please use TLS.

Q: What about in-memory protection?

A: We are not planning to encrypt memory content, but we use OS protection mechanisms to ensure key material is not paged out.

engineering an encrypted storage engine

Technology