Enabling Encryption at Rest for MongoDB Generates Error

Question

Running Percona Server for MongoDB server version: v3.6.8-2.0. I am attempting to enable encryption at rest using the procedure outlined in the following:

https://www.percona.com/blog/2018/11/01/wiredtiger-encryption-at-rest-percona-server-for-mongodb/#comment-10969955

After creating my encryption key and updating the /etc/mongod.confg with the following, I restart the mongod process:

security:
  authorization: enabled
  enableEncryption: true
  encryptionKeyFile: /deezNutz/mongodb.key

The process immediately shuts down and I see the following in my error log:

2018-11-14T23:09:18.057+0000 E STORAGE  [initandlisten] WiredTiger error (-31802) [1542236958:57406][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: unable to read root page from file:WiredTiger.wt: WT_ERROR: non-specific WiredTiger error
2018-11-14T23:09:18.057+0000 E STORAGE  [initandlisten] WiredTiger error (0) [1542236958:57447][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: WiredTiger has failed to open its metadata
2018-11-14T23:09:18.057+0000 E STORAGE  [initandlisten] WiredTiger error (0) [1542236958:57460][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: This may be due to the database files being encrypted, being from an older version or due to corruption on disk
2018-11-14T23:09:18.057+0000 E STORAGE  [initandlisten] WiredTiger error (0) [1542236958:57473][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: You should confirm that you have opened the database with the correct options including all encryption and compression options
2018-11-14T23:09:18.058+0000 E -        [initandlisten] Assertion: 28595:-31802: WT_ERROR: non-specific WiredTiger error src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp 437
2018-11-14T23:09:18.064+0000 I STORAGE  [initandlisten] exception in initAndListen: Location28595: -31802: WT_ERROR: non-specific WiredTiger error, terminating

If I change enableEncryption to "false", the engine starts right up and no errors.

It doesn't look like I'm missing a step.

Confused, Adam

Have you considered using full disk encryption (or at least encrypting your data volume) instead? — Michael Hampton, Nov 15 '18 at 00:23
How did you solve the problem? I am falling in the same issue. — Maverick, Jul 18 '23 at 13:19

score 1 · Answer 1 · answered Nov 16 '18 at 19:34

1

Percona Server for MongoDB 3.6.8-2 can't encrypt existing databases. You have to shutdown the instance, purge the data files directory, configure the instance for encryption, and start the instance.

answered Nov 16 '18 at 19:34

Adam

141
1
8

How to purge the data files directory? – Maverick Jul 18 '23 at 10:10

score 1 · Answer 2 · answered Nov 20 '18 at 13:18

The OP's own answer is essentially correct. But just in case you have an option:

In theory, the migration can occur without downtime: if you do these steps on Secondaries first, step-down the Primary, then upgrade that former-Primary there is basically no impact. Just a few reads/writes will be retried as nodes shuffle but the drivers are expecting this.

The initial-sync from the Primary will rewrite the data encrypted if the node is configured for encryption. An initial sync will add some load to the system, however.

The same is true for key rotation: if you already have encryption enabled, you can rotate all the replica set members one-by-one while specifying the new key.

There are some useful posts on MongoDB replication on the Percona blog if this approach is an option https://www.percona.com/blog/2018/03/22/the-anatomy-of-a-mongodb-replica-set/ and also an extended answer to the OP on the forum https://www.percona.com/forums/questions-discussions/percona-server-for-mongodb/52876-enabling-encryption-at-rest-in-percona-server-for-mongodb-3-6-8

Disclosure: I work for Percona, the MongoDB tech team assisted with this response, hope it helps.

Enabling Encryption at Rest for MongoDB Generates Error

2 Answers2