Thursday, November 17, 2016

MongoDB - Update replica set nodes to enable encrypted storage engine with local key



# Replication set without disk encryption:
 mongod --dbpath /home/donghua/LAB4/r0 --logpath /home/donghua/LAB4/r0/mongo.log --port 31250 --replSet UNENCRYPTED --fork
 mongod --dbpath /home/donghua/LAB4/r1 --logpath /home/donghua/LAB4/r1/mongo.log --port 31251 --replSet UNENCRYPTED --fork
 mongod --dbpath /home/donghua/LAB4/r2 --logpath /home/donghua/LAB4/r2/mongo.log --port 31252 --replSet UNENCRYPTED --fork

# Create the base64 encoded keyfile with the 32 character string
openssl rand -base64 32 > /home/donghua/LAB4/mongodb-keyfile
chmod 600 /home/donghua/LAB4/mongodb-keyfile

# Start rolling encryption with first secondary (r1)
mongo -port 31251
MongoDB Enterprise UNENCRYPTED:SECONDARY> db.getSisterDB('admin').shutdownServer()

# Cleanup is required, otherwise following error message expected:
# E STORAGE  [initandlisten] Unable to retrieve key .system, error: There are existing data files, but no valid keystore could be located.
# [initandlisten] Fatal Assertion 28561

rm -rf /home/donghua/LAB4/r1/*

To use the key file, start mongod with the following options:
 mongod --dbpath /home/donghua/LAB4/r1 --logpath /home/donghua/LAB4/r1/mongo.log --port 31251 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/donghua/LAB4/mongodb-keyfile

# Continue rolling encryption with second secondary (r2)
mongo -port 31252
MongoDB Enterprise UNENCRYPTED:SECONDARY> db.getSisterDB('admin').shutdownServer()

rm -rf /home/donghua/LAB4/r2/*

To use the key file, start mongod with the following options:
 mongod --dbpath /home/donghua/LAB4/r2 --logpath /home/donghua/LAB4/r2/mongo.log --port 31252 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/donghua/LAB4/mongodb-keyfile

# Finally rolling encryption with primary (r0)
mongo -port 31250
MongoDB Enterprise UNENCRYPTED:PRIMARY> rs.stepDown()
MongoDB Enterprise UNENCRYPTED:SECONDARY> db.getSisterDB('admin').shutdownServer()

rm -rf /home/donghua/LAB4/r0/*
To use the key file, start mongod with the following options:
 mongod --dbpath /home/donghua/LAB4/r0 --logpath /home/donghua/LAB4/r0/mongo.log.log --port 31250 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/donghua/LAB4/mongodb-keyfile