Skip to content

DOCS-8760: Document "--kmipPort" for encrypted storage engine usage #2771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

DOCS-8760: Document "--kmipPort" for encrypted storage engine usage #2771

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 26 additions & 28 deletions source/tutorial/configure-encryption.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,24 +73,24 @@ Encrypt Using a New Key
To create a new key, connect :program:`mongod` to the key manager by starting
:program:`mongod` with the following options:

- ``--enableEncryption``,
- :option:`--enableEncryption`
- :option:`--kmipServerName`
- :option:`--kmipPort`
- :option:`--kmipServerCAFile`
- :option:`--kmipClientCertificateFile`

- ``--kmipServerName <KMIP Server Hostname>``,

- ``--kmipServerCAFile <path to KMIP Server's CA File>``, and

- ``--kmipClientCertificateFile <path to valid client certificate>``.

Include any other options specific to your configuration.
Include any other options specific to your
:program:`mongod` configuration.

.. code-block:: sh

mongod --enableEncryption --kmipServerName <KMIP Server HostName> \
--kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem
--kmipPort <KMIP server port> --kmipServerCAFile ca.pem \
--kmipClientCertificateFile client.pem

This operation creates a new master key in your key manager for use by
the :program:`mongod` to wrap the keys :program:`mongod` generates for
each database.
This operation creates a new master key in your key manager which
:program:`mongod` uses to encrypt the keys :program:`mongod` generates
for each database.

To verify that the key creation and usage was successful, check the log
file. If successful, the process will log the following messages:
Expand All @@ -107,33 +107,31 @@ file. If successful, the process will log the following messages:
Encrypt Using an Existing Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can use an existing master key created and managed by your KMIP. To
use an existing key, connect :program:`mongod` to the key manager by
starting :program:`mongod` with the following options:

- ``--enableEncryption``,

- ``--kmipServerName <KMIP Server Hostname``,

- ``--kmipServerCAFile <path to KMIP Server's CA File>``,

- ``--kmipClientCertificateFile <path to valid client certificate>``, and
You can use an existing master key your KMIP server created and
manages. To use an existing key, connect :program:`mongod` to the
key manager by starting :program:`mongod` with the following options:

- ``--kmipKeyIdentifier <UID>``.
- :option:`--enableEncryption`
- :option:`--kmipServerName`
- :option:`--kmipPort`
- :option:`--kmipServerCAFile`
- :option:`--kmipClientCertificateFile`
- :option:`--kmipKeyIdentifier`

Include any other options specific to your configuration.
Include any other options specific to your
:program:`mongod` configuration.

.. code-block:: sh

mongod --enableEncryption --kmipServerName <KMIP Server HostName> \
--kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem \
--kmipKeyIdentifier <UID>
--kmipPort <KMIP server port> --kmipServerCAFile ca.pem \
--kmipClientCertificateFile client.pem --kmipKeyIdentifier <UID>

.. important::

If data is already encrypted with a key, you must specify that key's
``<UID>`` for the ``--kmipKeyIdentifier`` option. Otherwise, MongoDB
will not start and log an error.
does not start and logs an error.

.. seealso:: :ref:`encryption-key-management-options`

Expand Down