Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
0 likes70 views
The document presents an overview of queryable encryption in MongoDB, highlighting its significance for data security and confidentiality. It distinguishes between various encryption mechanisms, including client-side field-level encryption (CSFLE) and queryable encryption, detailing their processes and applications. The framework also emphasizes key management systems and limitations associated with queryable encryption in MongoDB.
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
- 1. Queryable Encryption in MongoDB Presented by Ranjith, Database Reliability Engineer, Mydbops Mydbops MyWebinar Edition 29 Nov 25th, 2023
- 2. About Me Ranjith ❏ Interested in MongoDB Internals ❏ Performance Troubleshooting ❏ Blogger
- 3. Mydbops Services Focus on MySQL, MongoDB, PostgreSQL, TiDB, Cassandra Consulting Services Consulting Services Managed Services 24*7 DBA Team Targeted Engagement
- 4. ❏ Introduction ❏ Enhanced Security in MongoDB ❏ CSFLE (Client-Side-Field-Level-Encryption) ❏ Queryable Encryption ❏ Queryable Encryption Types ❏ Limitations Agenda
- 5. ❏ MongoDB Encryption: Ensures robust security, protecting data from unauthorized access. ❏ Confidentiality & Integrity: Maintains data confidentiality and integrity. ❏ Flexible Methods: Offers diverse encryption options, including CSFLE and Queryable Encryption. Introduction
- 6. Enhanced Security in MongoDB
- 7. Life Cycle
- 8. Two types of Encryption Mechanisms: ❏ Automatic Encryption: Enables encrypted read and write operations without explicit code (MongoDB Enterprise & MongoDB Atlas). ❏ Explicit Encryption: Empowers encrypted operations using the MongoDB driver's encryption library, applicable across all formats. CSFLE (Client-Side-Field-Level-Encryption)
- 9. ❏ Data Encryption Keys (DEKs) ❏ Key Vault Collections ❏ Key Management System (KMS) ❏ libmongocrypt Important Key Components of CSFLE Encryption
- 10. ❏ Query Initiation ❏ Encrypted Fields Analysis ❏ DEK Retrieval ❏ DEK Decryption ❏ Data Retrieval ❏ Data Decryption How CSFLE Works?
- 11. Next Up: Queryable Encryption
- 12. ❏ Queryable Encryption use random encryption whereas CSFLE use deterministic encryption ❏ In deterministic encryption, the same plaintext value is always encrypted to the same ciphertext. ❏ Queryable Encryption produces different ciphertexts for the same plaintext each time it is encrypted. ❏ It prevents attackers from easily identifying patterns based on frequency. CSFLS vs Queryable Encryption
- 13. ❏ Encrypts During Transmission: Queryable Encryption secures data in transit with randomized encryption, allowing queries. ❏ Client ensures data is always transmitted in encrypted form, automatically encrypting and decrypting sensitive information. MongoDB Supports Two Types: ❏ Implicit Queryable Encryption - Available on MongoDB Enterprise & MongoDB ATLAS ❏ Explicit Queryable Encryption - Available on MongoDB Enterprise & MongoDB ATLAS & MongoDB Community Queryable Encryption
- 14. ❏ Data Encryption Keys (DEKs) ❏ Key Vault Collections ❏ Cryptographic Tokens ❏ Cryptographic Tags ❏ Key Management System (KMS) Important Key components of Queryable Encryption
- 15. ❏ DEK Function: The Data Encryption Key (DEK) encrypts fields in MongoDB documents. ❏ Secure Storage: DEK is securely stored in a MongoDB collection known as the keyVault collection. Key Vault Collections ❏ DEK Storage: MongoDB's Key Vault collection stores encrypted Data Encryption Key (DEK) documents. ❏ Document Composition: DEK documents within the Key Vault collection are BSON documents that encapsulate Data Encryption Keys (DEKs). Data Encryption Keys (DEK’s)
- 16. ❏ Tokenized Encryption: Cryptographic tokens represent encrypted data, allowing querying without decryption. ❏ Queryable Encryption Process: Upon data insertion with queryable encryption, designated fields are encrypted and stored as cryptographic tokens (Ciphertext) in the namespace. Cryptographic Tokens
- 17. ❏ Metadata for Encryption: Cryptographic tags provide key and algorithm details for encrypted fields. ❏ Query Management: Crucial for MongoDB server in handling encrypted data during queries. ❏ Stored Guidance: Stored alongside data, cryptographic tags enable the server to determine the appropriate encryption key for querying or decrypting data. Cryptographic Tags
- 18. Queryable Encryption is supported by the following Key Management System (KMS) providers: ❏ Amazon Web Services KMS ❏ Azure Key Vault ❏ Google Cloud Platform KMS ❏ Any KMIP Compliant Key Management System ❏ Local Key Provider Key Management System (KMS)
- 19. ❏ Explicit encryption is a method wherein you explicitly define the encryption and decryption processes for fields in your document during each operation conducted on your database. ❏ Explicit encryption is available and supported in the following MongoDB products: MongoDB Community Server MongoDB Enterprise Advanced MongoDB Atlas Explicit Queryable Encryption
- 20. How Write Operations works in Explicit Queryable Encryption?
- 21. ❏ Application submits query. ❏ MongoDB drivers analyze query. ❏ DEKs (unique to specific fields) use AES-CBC-256 encryption. ❏ Each DEK is unique and associated with a specific field in the document. AES - Advanced Encryption Standard CBC-256 - 256 bit Cipher Block Chaining ❏ AES-CBC-256 creates cryptographic token with tags. How Write Operations works in Explicit Queryable Encryption?
- 22. ❏ Cryptographic token encrypts data (AES-CBC-256 + IV for uniqueness). ❏ DEKs are safeguarded by encrypting with CMK. ❏ Driver sends query to MongoDB server with encrypted fields as ciphertext. ❏ Encrypted data (Token + Tags) stored in MongoDB server. How Write Operations works in Queryable Encryption?
- 23. ❏ Enable Queryable Encryption for a collection. ❏ MongoDB generates two metadata collections in the specified database. ❏ For example, we have enabled the Queryable Encryption for the patients collection MongoDB will generate the metedata collections like below enxcol_.patients.ecoc //metadata collection1 enxcol_.patients.esc //metadata collection2 Metadata Collections
- 24. The .ecoc collection functions as a repository for encryption context information, encompassing cryptographic tokens, cryptographic tags, and associated metadata. ❏ Cryptographic Tokens: Encrypted representations of specific field values. ❏ Cryptographic Tags: Metadata linked to encrypted fields for decryption. ❏ Context Information: Details on DEK associations for each cryptographic token. ❏ Cache Optimization: Collection acts as a cache, enhancing query performance. ❏ Size Management: Compaction command needed if metadata collection exceeds 1 GB. ❏ Temporary Storage: .ecoc serves as temporary storage for cryptographic metadata essential in query processing. enxcol_.patients.ecoc //metadata collection1
- 25. ❏ DEK Details: Intricate info on Data Encryption Keys (DEKs) with unique identifiers and metadata. ❏ Key Management: Specifies the Customer Master Key (CMK) for DEK protection. ❏ Algorithms: Stores comprehensive details on encryption algorithms and parameters. ❏ Key Rotation: Insights into policies and schedules for managing key rotation. ❏ Configuration: Houses essential settings and metadata for the encryption system. enxcol_.patients.esc //metadata collection2
- 26. ❏ Internally Managed Collections: MongoDB manages these collections for queryable encryption operations. ❏ Critical Role: Essential for the efficient processing of queries involving encrypted data. ❏ Enhanced Security: Provide context and metadata for decryption, ensuring sensitive information remains secure. ❏ Background Operations: Typically not directly accessed or modified by users, functioning behind the scenes. ❏ Foundational Component: Integral part of MongoDB's queryable encryption infrastructure. enxcol_.patients.esc //metadata collection2
- 27. How Read Operation Works in Queryable Encryption?
- 28. ❏ Query Submission: Application submits a query; MongoDB drivers analyze it. ❏ DEK Encryption: DEKs use AES-CBC-256 to encrypt specific document fields. ❏ Key Protection: DEKs are protected by encrypting them with the CMK. ❏ Query Transmission: Driver sends the query to MongoDB server, representing encrypted fields as ciphertext. ❏ Cryptographic Tags: MongoDB uses tags to fetch the cryptographic token with encrypted data. ❏ Decryption Process: Driver decrypts query results using its keys. ❏ Client Return: Decrypted data is returned to the client in plaintext. How Read Operation Works in Queryable Encryption?
- 29. Explicit Queryable Encryption Demo
- 30. ❏ Automatic Queryable Encryption ❏ Driver and libmongocrypt Collaboration ❏ Streamlined Approach ❏ Seamless Operations ❏ Ease of Use and Security ❏ Available in MongoDB Enterprise and Atlas Implicit ( Automatic) Queryable Encryption
- 31. ❏ Query Initiation ❏ Field Analysis ❏ DEK Retrieval ❏ DEK Decryption ❏ Data Reading ❏ Data Decryption ❏ User Interaction How Automatic Queryable Encryption Works?
- 32. Implicit Queryable Encryption Demo
- 33. ❏ Compatibility Note: Queryable Encryption is incompatible with MongoDB Atlas Search. ❏ Server Limitation: Not applicable for MongoDB standalone servers. ❏ Shard Key Restriction: Encrypted fields cannot be used as shard keys. ❏ Collection Renaming Restriction: Renaming collections with encrypted fields is not allowed. ❏ _id Field Exclusion: Encryption cannot be applied to the _id field. ❏ MongoDB 7.0 support only Equality searches ❏ Encryption collection backup not supported for restoration For detailed information, you can refer to the https://www.mongodb.com/docs/manual/core/queryable-encryption/reference/limitations/#std-label -qe-reference-encryption-limits Limitations Of Queryable Encryption
- 34. ➔ MongoDB Implicit Queryable Encryption https://www.mydbops.com/blog/mongodb-queryable-encryption/ ➔ MongoDB Explicit Queryable Encryption https://www.mydbops.com/blog/mongodb-7-explicit-queryable-encryption/ ➔ MongoDB General Queryable Encryption Video https://www.youtube.com/watch?v=vTM_YlieLBE&t=863s Queryable Encryption Related Blogs
- 35. Any Questions?
- 36. Thank You