Navigation

Encrypted Backup Snapshots

Starting in 3.4, Ops Manager supports encryption for any backup job that was stored in a head database running MongoDB Enterprise 3.4 or later with the WiredTiger storage engine.

With encrypted backup, you encrypt the head databases using a master key that is generated and maintained by a KMIP-compliant key management appliance (i.e. KMIP server). As the Backup Daemon creates snapshots from the head databases, resulting snapshots from the encrypted head databases are themselves encrypted.

To restore from an encrypted backup, you need the same master key used to encrypt the backup and either the same certificate as is on the Backup Daemon server or a new certificate provisioned with that key from the KMIP server.

Prerequisites

  • Head databases use MongoDB Enterprise 3.4 or later with the WiredTiger storage engine.
  • KMIP-compliant key management appliance (i.e. KMIP server) to generate and store encryption keys.
  • A valid KMIP client certificate and KMIP server CA files. These files are used to authenticate Ops Manager to the KMIP server. The client certificate on the Backup Daemon server must have access to all keys in the KMIP server.

Important

  • You must maintain all keys, even rotated keys, in the KMIP server.

Set up KMIP Server Configuration for Ops Manager

1
2

Complete the KMIP fields.

Update the following Key Management Interoperability Protocol(KMIP) server fields in the KMIP Server Configuration section:

KMIP Server Host Type the FQDN for the KMIP server.
KMIP Server Port Type the port on which the KMIP host is listening for KMIP connections. The default KMIP port is 5696.
KMIP Server CA File Type the absolute path for the CA file on the Ops Manager host. This must be the same CA file stored on the KMIP host.
3

Click Save.

Configure Your Group to Use KMIP

Note

All deployments in the group will use the same KMIP client certificate file to authenticate.

1
2

Complete the KMIP fields.

KMIP client certificate path

Type the absolute path for the client certificate file on the Ops Manager host. Ops Manager uses this certificate to authenticate itself to the KMIP server.

A single file can hold both the CA and client certificate.

KMIP client certificate password Optional Only enter if the certificate specified in KMIP client certificate path is encrypted.
3

Click Save Changes.

Encrypt Your Backup Job

Important

For existing backups in a group, enabling encryption requires an initial backup sync to recreate the backups’ head databases.

1

Click Backup.

If you have not yet enabled Ops Manager Backup, click Begin Setup and complete the wizard. This results in a completed backup setup, so you can skip the rest of this procedure.

2

Start backing up the process.

From the list of processes, navigate to the Status column for the process you want to back up and click Start.

3

In the Start Backup sidebar, configure the backup source and storage engine.

Menu Possible Values Default Value
Sync source
  • Any secondary (Ops Manager chooses)
  • Any specific secondary
  • The primary node

any secondary

Using a secondary is preferred because it minimizes performance impact on the primary.

Storage Engine
  • MongoDB Memory Mapped Files or
  • WiredTiger

See the considerations in Storage Engines.

Same storage engine as the primary node of the database being backed up.

If the storage engine is WiredTiger, you can enable encryption. To enable encryption, select Enable Encryption. Select only if you have set up KMIP server for your backups and configured the group to use KMIP.

4

If the deployment is not under Automation and requires authentication, specify the authentication mechanism and credentials.

Specify the following, as appropriate:

Auth Mechanism

The authentication mechanism the host uses.

The options are:

DB Username

For Username/Password or LDAP authentication, the username used to authenticate the Backup Agent to the MongoDB deployment.

See Configure Backup Agent for MONGODB-CR or Configure Backup Agent for LDAP Authentication.

DB Password For Username/Password or LDAP authentication, the password used to authenticate the Backup Agent to the MongoDB deployment.
Allows SSL for connections

If checked, the Backup Agent uses SSL to connect to MongoDB.

See Configure Backup Agent for SSL.

5

To filter which namespaces get backed up, click Advanced Settings.

To exclude databases and collections from this backup:

  1. Click Blacklist.
  2. Enter the first database and collection in the text box. For collections, enter the full namespace: <database>.<collection>.
  3. To exclude additional databases or collections, click the Add another link then repeat the previous step.

To include only certain databases and collections for this backup:

  1. Click Whitelist.
  2. Enter the first database and collection in the text box. For collections, enter the full namespace: <database>.<collection>.
  3. To include additional databases or collections, click the Add another link then repeat the previous step.
6

Click Start.