使用本地密钥MONGODB启用数据加密时出错 [英] Error when enabling data encryption using local key MONGODB
问题描述
我已经成功加密了mongoDB中的通信,但是当我尝试启用数据加密时,出现了错误.我正在将MongoDB的企业版与版本3.2.4一起使用.我在控制台中收到以下消息:
I have successfully encrypted the communication in mongoDB but when I try to enable the data encryption I'm getting errors. I am using the enterprise edition of mongoDB with version 3.2.4. I get the following message in the console:
ERROR: child process failed, exited with error number 14
但是当我查看日志时,会看到详细的错误,如下所示:
But when I look at the logs I see detailed error as follows:
Unable to retrieve key .system, error: there are existing data files, but no valid keystore could be located.
Fatal Assertion 28561
以下是我的配置文件的摘要:
following is the snippet of my config file:
# enable authentication
security:
authorization: enabled
enableEncryption: true
encryptionKeyFile: /home/test/mongodb-keyfile
在没有enableEncryption
和encryptionKeyFile
参数的情况下,它可以正常工作.谁能解释我在这里想念的东西吗?谢谢!
It works fine without the enableEncryption
, and encryptionKeyFile
parameters. Could anyone explain what i'm missing here? thanks!
推荐答案
MongoDB的加密存储引擎支持两个密钥管理选项:
MongoDB's encrypted storage engine supports two key management options:
- Key Manager : Integration with third party key management appliance via the Key Management Interoperability Protocol (KMIP).
- Local Key: Use of local key management via a keyfile.
值得一提的是,使用密钥管理器符合法规密钥管理准则,并且建议在本地密钥管理中.
Worth mentioning that using a key manager meets regulatory key management guidelines and is recommended over the local key management.
If you are using Key Manager option, please see KMIP Master Key Rotation.
由于使用的是本地密钥"选项,因此如果您具有副本集部署您可以旋转副本集成员.这会将重新同步数据从未加密到加密的mongod
.
Since you are using the Local Key option, if you have a Replica Set deployment you could rotate the replica set member. This would re-sync data from the un-encrypted to the encrypted mongod
.
或者,如果您只有一个独立的mongod
,则可以:
Alternatively if you only have a standalone mongod
, you could:
- 备份数据库文件.
- 停止
mongod
进程 - 删除或移动
dbpath
中的现有数据库文件.格外小心! -如果要删除,请确保具有备份数据. - 使用 --enableEncryption 重新启动
mongod
和 --encryptionKeyFile . - 将备份文件还原到重新启动并加密的
mongod
.
- Back Up your database files.
- Stop
mongod
process. - Delete or move existing database files in
dbpath
. Exercise extra caution! - If you are deleting, make sure you have a backup data. - Restart
mongod
with --enableEncryption and --encryptionKeyFile. - Restore backup files to the restarted and encrypted
mongod
.
作为示例,您可以使用 mongodump 转储数据,然后使用 mongorestore 恢复转储文件.
As an example, you could use mongodump to dump the data, and use mongorestore to restore the dump files.
最后,请注意, MongoDB Enterprise 版本是商业支持的产品.如果您订阅了商业支持,建议您打开支持案例.
Lastly, note that MongoDB Enterprise edition is a commercially supported product. I'd suggest opening a support case if you have a Commercial Support subscription.
这篇关于使用本地密钥MONGODB启用数据加密时出错的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!