使用本地密钥MONGODB启用数据加密时出错 [英] Error when enabling data encryption using local key MONGODB

问题描述

我已经成功加密了mongoDB中的通信，但是当我尝试启用数据加密时，出现了错误.我正在将MongoDB的企业版与版本3.2.4一起使用.我在控制台中收到以下消息:

I have successfully encrypted the communication in mongoDB but when I try to enable the data encryption I'm getting errors. I am using the enterprise edition of mongoDB with version 3.2.4. I get the following message in the console:

ERROR: child process failed, exited with error number 14

但是当我查看日志时，会看到详细的错误，如下所示:

But when I look at the logs I see detailed error as follows:

Unable to retrieve key .system, error: there are existing data files, but no valid keystore could be located.
Fatal Assertion 28561

以下是我的配置文件的摘要:

following is the snippet of my config file:

# enable authentication
security:
  authorization: enabled
  enableEncryption: true
  encryptionKeyFile: /home/test/mongodb-keyfile

在没有enableEncryption和encryptionKeyFile参数的情况下，它可以正常工作.谁能解释我在这里想念的东西吗?谢谢！

It works fine without the enableEncryption, and encryptionKeyFile parameters. Could anyone explain what i'm missing here? thanks!

推荐答案

MongoDB的加密存储引擎支持两个密钥管理选项:

MongoDB's encrypted storage engine supports two key management options:

• 密钥管理器:与第三方密钥管理集成通过密钥管理互操作协议(KMIP)的设备.
• 本地密钥:使用本地密钥通过密钥文件进行管理.

• Key Manager : Integration with third party key management appliance via the Key Management Interoperability Protocol (KMIP).
• Local Key: Use of local key management via a keyfile.

值得一提的是，使用密钥管理器符合法规密钥管理准则，并且建议在本地密钥管理中.

Worth mentioning that using a key manager meets regulatory key management guidelines and is recommended over the local key management.

如果您使用的是密钥管理器选项，请参见

If you are using Key Manager option, please see KMIP Master Key Rotation.

由于使用的是本地密钥"选项，因此如果您具有副本集部署您可以旋转副本集成员.这会将重新同步数据从未加密到加密的mongod.

Since you are using the Local Key option, if you have a Replica Set deployment you could rotate the replica set member. This would re-sync data from the un-encrypted to the encrypted mongod.

或者，如果您只有一个独立的mongod，则可以:

Alternatively if you only have a standalone mongod, you could:

1. 备份数据库文件.
2. 停止mongod 进程
3. 删除或移动dbpath中的现有数据库文件.格外小心！ -如果要删除，请确保具有备份数据.
4. 使用 --enableEncryption 重新启动mongod和 --encryptionKeyFile .
5. 将备份文件还原到重新启动并加密的mongod.

1. Back Up your database files.
2. Stop mongod process.
3. Delete or move existing database files in dbpath. Exercise extra caution! - If you are deleting, make sure you have a backup data.
4. Restart mongod with --enableEncryption and --encryptionKeyFile.
5. Restore backup files to the restarted and encrypted mongod.

作为示例，您可以使用 mongodump 转储数据，然后使用 mongorestore 恢复转储文件.

As an example, you could use mongodump to dump the data, and use mongorestore to restore the dump files.

最后，请注意， MongoDB Enterprise 版本是商业支持的产品.如果您订阅了商业支持，建议您打开支持案例.

Lastly, note that MongoDB Enterprise edition is a commercially supported product. I'd suggest opening a support case if you have a Commercial Support subscription.

这篇关于使用本地密钥MONGODB启用数据加密时出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！