SonarW Encryption (Data at Rest)

You can encrypt data in SonarW using Linux encryption (full disk encryption) or using SonarW’s built-in encryption. The later allows you to selectively encrypt - i.e. choose which databases and which collections to encrypt. SonarW encryption always uses AES256.

Encryption Keys

You configure the encryption key in SonarW in one of two ways:

  1. Directly within the configuration file using the encryption_key parameter
  2. Setting the configuration parameter shm_encryption_key to true and saving the key to a file on the system ramdisk.

In both cases the key should be 32 bytes of random data encoded as a 64 byte hex string.

Of these two methods the second one is prefered but it requires the recreation of the file on every machine reboot since the ramdisk gets cleaned when the machine shuts down.

SonarW comes with a python script utility called ‘sonard-setup-encryption’. This utility helps with the generation of the key from a password as well as providing the interface to fetch a key from a KMIP server. This script must be run by the same system user that runs SonarW.

Keys are stored on the system ramdisk and are either retrieved from a KMIP server (requiring credentials) or generate from a password. If you lose the password or the ability to retrieve a key from the KMIP server all of the data will be lost.

For local key generation, run the following commands in a system shell (as sonarw user):

$ /usr/lib/sonarw/sonard-setup-encryption local
Password:
$

This command asks for the password, generates the cryptographic key, and saves this key in the system ramdisk. Then set the configuration parameter shm_encryption_key to true in sonard.conf, and restart SonarW.

To retrieve a key from a KMIP server, you need to create the file /etc/pykmip/pykmip.conf to have the following content, with the correct configuration to access the KMIP server:

[client]
host=<kmip server ip address>
port=<kmip server port>
keyfile=<kmip client key file>
certfile=<kmip client certificate file>
cert_reqs=CERT_REQUIRED
ssl_version=PROTOCOL_SSLv23
ca_certs=<kmip ca certificate>
do_handshake_on_connect=True
suppress_ragged_eofs=True

Then run:

$ /usr/lib/sonarw/sonard-setup-encryption kmip -i 1 -u john.doe
Enter PEM pass phrase:
2017-06-23 16:00:09,617 - demo - INFO - Successfully retrieved secret with ID: 1
$

This part is dependent on how your KMIP server is configured. You might need to specify the client certificates (and password), one user name and password, and the ID of the key you want to retrieve. At this point the key is stored in the system ramdisk.

Encrypting a database

It’s only possible to enable encryption on a non-existent or empty database. Once enabled, all collections inside that database will be encrypted.

To enable encryption run:

db.runCommand({ encryptdb: <db_name> })

Then insert at least one document to any of its collections.

To make sure that the encryption is enabled, run one the following commands in the mongo shell:

use <db_name>
db.stats()

Or

use <db_name>
db.<collection_name>.stats()

If the encryption is enabled you will see boolean value “encryption: true”.