This topic describes how to configure Transparent Data Encryption (TDE) for an ApsaraDB for MongoDB instance. Before data files are written to disks, TDE encrypts the data files. When data files are loaded from disks to the memory, TDE decrypts the data files. TDE does not increase the sizes of data files. When you use TDE, you do not need to modify your application that uses the ApsaraDB for MongoDB instance. You can enable TDE for an instance in the ApsaraDB for MongoDB console to improve data security.

Prerequisites

  • The instance is a replica set instance or a sharded cluster instance.
  • The storage engine of the instance is WiredTiger.
  • The database version of the instance is MongoDB 4.0 or 4.2. If the database version of the instance is earlier than MongoDB 4.0, upgrade the database version. For more information, see Upgrade MongoDB versions.
    Note Before you enable TDE, you can create a pay-as-you-go instance of MongoDB 4.0 or 4.2 to test the compatibility between your application and the database version. You can release the instance after you complete the test.

If the architecture or storage engine of your instance does not meet the requirements, you can create an instance that meets the requirements and migrate data of your instance to the new instance. For more information, see Configuration change overview.

Impacts

Notes

  • After you enable TDE, you cannot disable TDE.
  • You can enable TDE for an instance. You can also enable or disable encryption for a collection as required. If you need a filed-level encryption, see Explicit (Manual) Client-Side Field Level Encryption(only MongoDB 4.2 version instances are supported).
    Note When you create a collection, you can disable encryption for the collection. For more information, see Disable encryption for a collection.
  • After you enable TDE, only newly created collections are encrypted. Collections that are created before you enable TDE are not encrypted.
  • Key Management Service (KMS) generates and manages the keys of TDE. ApsaraDB for MongoDB does not provide keys and certificates that are required for encryption.

Procedure

  1. Log on to the ApsaraDB for MongoDB console.
  2. In the upper-left corner of the page, select the resource group and the region of the target instance.
  3. In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances based on the instance type.
  4. Find the target instance and click its ID.
  5. In the left-side navigation pane, choose Data Security > TDE.
  6. Turn on the switch next to TDE Status: to enable TDE.
    TDE
  7. In the Enable TDE dialog box, you can select Use Automatically Generated Key or Use Custom Key. Then, click OK. The instance status changes to Modifying TDE. After the status changes to Running, TDE is enabled.
    Note You can use KMS to manage custom keys. For more information, see KMS.

Disable encryption for a collection

After you enable TDE, all newly created collections are encrypted. When you create a collection, you can perform the following steps to disable encyption for the collection:

  1. Connect to your instance through the mongo shell. For more information, see Connect to a replica set instance or Connect to a sharded cluster instance.
  2. Run the following command to create a collection and disable the encryption feature:
    db.createCollection("<collection_name>",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })
    Note <collection_name>: the name of the collection.

    Example

    db.createCollection("customer",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })