Docs Home → MongoDB Enterprise Kubernetes Operator

Configure KMIP Encryption at Rest

On this page

Considerations

Procedure

You can configure encryption at rest for a MongoDB deployment managed by the Kubernetes Operator by using a KMIP server.

Considerations

Before configuring encryption at rest, consider the following:

You must have a running KMIP server.
You can't transition your deployment that uses keyfile-based encryption at rest to KMIP-based encryption at rest.
If you want to enable KMIP encryption at rest for an already deployed MongoDB resource, contact MongoDB Support.

Procedure

The following procedure describes how to configure a sample KMIP configuration for a MongoDB replica set. Adjust the file names and paths, Kubernetes namespace, resource names, and MongoDB version as necessary for your deployment.

Create the ConfigMap of the CA.

Run the following command to create a ConfigMap to hold the CA that signed the KMIP server's certificate:

kubectl -n mongodb create configmap mongodb-kmip-certificate-authority-pem --from-file=ca.pem

Create the Secret for the Client Certificate and Private Key PEM.

Run the following command to create a secret to hold the concatenated client certificate and private key for checking out the master key from the KMIP server:

kubectl -n mongodb create secret generic mongodb-kmip-client-pem --from-file=cert.pem

Configure the deployment to use the KMIP server.

Configure the additionalMongodConfig settings in your custom resource specification to use the KMIP server. For example:

apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: kmip
  namespace: mongodb
spec:
  type: ReplicaSet
  members: 3
  backup:
    encryption:
      kmip:
        client:
          clientCertificatePrefix: "mdb"
  additionalMongodConfig:
    security:
      enableEncryption: true
      kmip:
        clientCertificateFile: /kmip/cert/cert.pem
        serverCAFile: /kmip/ca/ca.pem
        serverName: pykmip-server.pymongo
        port: 5696
  featureCompatibilityVersion: '6.0'
  version: 6.0.14-ent
  opsManager:
    configMapRef:
      name: my-project
  credentials: my-credentials
  podSpec:
    podTemplate:
      spec:
        containers:
          - name: mongodb-enterprise-database
            volumeMounts:
              - name: mongodb-kmip-client-pem
                mountPath: /kmip/cert
              - name: mongodb-kmip-certificate-authority-pem
                mountPath: /kmip/ca
        volumes:
          - name: mongodb-kmip-client-pem
            secret:
              secretName: mongodb-kmip-client-pem
          - name: mongodb-kmip-certificate-authority-pem
            configMap:
              name: mongodb-kmip-certificate-authority-pem
              items:
                - key: ca.pem
                  path: ca.pem

Important

If you set the spec.backup.encryption.kmip setting in your resource, the API keys linked with the value of spec.credentials must have the Global Owner role.

← Configure Encryption Enable Authentication →