MongoDB Configurations and Encryption
MongoDB Configuration
As mentioned in the General Settings page, to connect with MongoDB, Mia-Platform Console only needs the connection string provided using the configurations.mongodbUrl
configuration.
Cluster size
MongoDB Cluster size can be shaped based to the number of Projects managed whithin Mia-Platform Console. However a Cluster with 10GB of storage is enough to manage up to 1000 Projects.
MongoDB Encryption
Mia-Platform Console can interact with MongoDB using Client-Side Field Level Encryption (CSFLE
).
To enable this feature you need access to a KMS and provide the configurations described below.
Client-Side Field Level Encryption (CSFLE
) is only available when using MongoDB Enterprise license, if you have the Community license
encryption is not enforced, therefore you'll have plain-text fields.
Not enabling CSFLE in the on premise Console installation is considered a bad security practice and it should be avoided.
To activate encryption use the crudEncryption
value inside the configurations
object.
CRUD Encryption
Name | Type | Description | Default | Optional |
---|---|---|---|---|
kmsProvider | string | KMS provider id (gcp or local ) | ❌ | |
keyVaultNamespace | string | Key vault name in the format dbName.collectionName | ❌ | |
gcpConfig | object | Configuration for the GCP KMS (use this when kmsProvider is gcp ) | ✅ | |
localConfig | object | Configuration for the Local KMS (use this when kmsProvider is local ). This configuration is not recommended for production environments | ✅ |
KMS GCP Configuration
Name | Type | Description | Default | Optional |
---|---|---|---|---|
email | string | The email defined by the GCP KMS | ❌ | |
projectId | string | The projectId defined by the GCP KMS | ❌ | |
location | string | The location defined by the GCP KMS | ❌ | |
keyRing | string | The keyRing defined by the GCP KMS | ❌ | |
keyName | string | The keyName defined by the GCP KMS | ❌ | |
privateKey | string | The privateKey defined by the GCP KMS | ❌ |
Local KMS Configuration
Name | Type | Description | Default | Optional |
---|---|---|---|---|
masterKey | string | The master key value used for encryption | ❌ |
To generate the master key check out the official documentation page.
Examples
mia-console:
configurations:
...
crudEncryption:
keyVaultNamespace: 'dbname.collectionname'
kmsProvider: 'gcp'
gcpConfig:
email: 'kms-gcp-email'
projectId: 'kms-gcp-projectid'
location: 'kms-gcp-location'
keyRing: 'kms-gcp-keyring'
keyName: 'kms-gcp-keyname'
privateKey: 'THE\nPRIVATE\nKEY'