Storage Encryption

TencentDB for MongoDB

Release Notes and Announcements

Release Notes

Announcements

"Capacity Utilization" Monitoring Metric Modification

Product Introduction

Product Specifications

Features

Feature

Versions and Storage Engines

Purchase Guide

Configuration Adjustment Billing

Getting Started

Creating TencentDB for MongoDB Instance

Connecting to TencentDB for MongoDB Instance

Reading/Writing Database

Operation Guide

Access Management

Overview

Authorization Policy Syntax

Authorization Permission Policy

Instance Management

Viewing Instance Details

Adjusting Instance Specification

Switching Instance Network

Accessing Instance Without Authentication

Changing Instance AZ

Setting Instance Maintenance Period

Specifying Project for Instance

Editing Instance Tag

Restarting Instance

Terminating Instance

Adjusting Oplog Capacity

Node Management

Node Overview

Viewing Node Information

Adjusting Mongod Node Specification

Adding Secondary Node

Deleting Secondary Node

Adding Read-Only Node

Adjusting Shard Quantity

Adjusting Mongos Node Specification

Adding Mongos Node

Enabling Mongos Access Address

Promoting Secondary Node to Primary Node

Restarting a Node

Version Upgrade

Network Configuration

Enabling Public Network Access

FAQs

Monitoring

Monitoring Feature

Viewing Monitoring Data

Configuring Alarm Policy

Configuring Event Alarms

Backup and Rollback

Data Backup

Data Rollback

Data Clone

Database and Table Rollback

Batch Rollback

Restoring to Self-built Database

Data Security

Configuring Security Group

Storage Encryption

SSL Authentication

Enabling SSL Authentication

Using Mongo Shell to Connect to Database by SSL Authentication

Using Multi-Language SDKs to Connect to Database by SSL Authentication

Database Management

Account Management

Slow Log Management

Connection Management

Multi-AZ Deployment

Disaster Recovery/Read-Only Instances

Overview of Read-Only Disaster Recovery

Creating Read-Only Instances

Creating Disaster Recovery Instance

Parameter Configuration

Adjusting Database Parameters

Recycle Bin

Task Management

Performance Optimization

Data Migration Guide

Practical Tutorial

Optimizing Indexes to Break Through Read/Write Performance Bottlenecks

Troubleshooting Mongos Load Imbalance in Sharded Cluster

Considerations for Using Shard Clusters

Sample of Reading and Writing Data in MongoDB Instance

Methods for Importing and Exporting Data Based on CVM Connected with MongoDB

What to Do for Errors of Repeated Instance Creation and Deletion of Databases with the Same Names?

Troubleshooting MongoDB Connection Failures

Performance Fine-Tuning

Troubleshooting High Connection Utilization

Troubleshooting High CPU Utilization

Memory Tunning Method

Cause Analysis and Solutions for Increased Slow Queries and Elevated Latency

Troubleshooting Excessive Connections

Solutions for High Disk Space Utilization

Ops and Development Guide

Development Specifications

Command Support in Sharded Cluster v3.2

Command Support in v3.6

Development Ops

Database Problems in MongoDB 3.6

High CPU Utilization

Slow Query Problems

Connection Problems

Troubleshooting

Increased Slow Queries

Number of Connections Exceeding Limit

API Documentation

Instance Connection

Shell Connection Sample

PHP Connection Sample

Node.js Connection Sample

Java Connection Sample

Python Connection Sample

Python Read/Write Sample

Go Connection Sample

PHP Reconnection Sample

Product Performance

Test Environment

Test Method

Test Result

Test Data of MongoDB 4.0

Test Data of MongoDB 4.4

FAQs

Service Agreement

Service Level Agreement

Glossary

DocumentationTencentDB for MongoDBOperation GuideData SecurityStorage Encryption

Storage Encryption

Download PDF

Last updated: 2025-03-10 18:20:33

Storage Encryption

Last updated: 2025-03-10 18:20:33

Download PDF

Overview
TencentDB for MongoDB provides the storage encryption feature, which is also known as Transparent Data Encryption (TDE) or static data encryption. It encrypts data before the data is written to disk and automatically decrypts data when the data is read from disk and then written to memory. This process is implemented by the database management system, meeting the compliance requirements of data encryption.
Prerequisites
The instance version is MongoDB 4.4, 5.0, or 6.0.
The operation account has enabled Key Management Service (KMS). If it is not enabled, you can enable it according to the guidance when you enable TDE.
The operation account has permissions of the role MongoDB_QCSLinkedRoleInKMS. This role and its associated policy have permission granted by MongoDB to create and manage keys by using KMS. If no permission is granted, you can complete authorization according to the guidance when you enable TDE.
Notes:
The keys used for encryption are generated and managed by KMS. TencentDB for MongoDB does not provide the keys or certificate required for encryption.
The storage encryption feature does not incur additional fees, but KMS may incur additional fees. For details, see Billing Overview.
When your account is in arrears, you cannot obtain keys from KMS, which may cause tasks such as migration and upgrade to fail. For details, see Arrears Explanation.
Must-Knows
TencentDB for MongoDB uses the AEGIS-256 encryption algorithm for storage encryption.
If the KMS authorization is invoked, the MongoDB database becomes unavailable after an instance is restarted.
Before storage encryption is enabled, the automatic backup method cannot be physical backup. After it is enabled, the automatic backup method cannot be modified to physical backup, and manual physical backup is not supported.
Once the storage encryption feature is enabled, it cannot be disabled, and key modification is not supported.
After the storage encryption feature is enabled, the encrypted data cannot be accessed if the corresponding key is disabled or deleted.
After the storage encryption feature is enabled, data security can be enhanced, but the read/write performance of accessing the encryption database may be affected. Please choose whether to enable the storage encryption feature according to the actual situation.
After the storage encryption feature is enabled, you cannot obtain keys from KMS when your account is in arrears, which may cause tasks such as migration and upgrade to fail.
After the storage encryption feature is enabled, the existing data in databases and tables will not be encrypted. To encrypt such data, it is recommended to create an instance with storage encryption enabled and migrate the existing data to this instance.
Directions
1. Log in to the TencentDB for MongoDB console.
2. In the dropdown list under MongoDB in the left sidebar, select Replica Set Instance or Shard Instance. The operations of replica set instances and sharded instances are similar.
3. Select a region at the top of the instance list page on the right.
4. Find the target instance in the instance list. You can enter an instance ID, an instance name, a private IP address, or a tag key in the search box at the upper right corner of the instance list to search for the target instance.
5. In the Instance ID/Name column of the target instance, click Instance ID to enter the Instance Details page.
6. Switch to the Data Security page, and select the Storage Encryption tab. Click Click to activate for Encrypted Status under Storage Encryption Configuration.
﻿
7. In the Set Data Encryption window, enable KMS, complete KMS key authorization, and select the key generation method in the Select Key field.
Use key auto-generated by Tencent Cloud: Tencent Cloud will automatically generate the key.
Use existing custom key: Select a key that has been created on the KMS Key Management page, and select the region where the instance is located and the name of the key in the dropdown list below.
Notes:
If you use a custom key to enable storage encryption, you need to specify key usage as symmetric encryption and decryption. For details, see Creating a Key.
If no custom key is available, click Go to Create to create a key in the KMS console. For details, see Creating a Key.
﻿
8. Click Encrypt to complete the configuration. In the left sidebar, click Task Management and wait for the task to finish execution.
﻿
9. Switch to the Storage Encryption page, and you can see that the Encryption Status has been updated to Enabled, and in the Key List, you can see the created key.
﻿

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

tencent cloud

New User Offers

Next-Generation CDN：EdgeOne

Elasticsearch Service free trial

Free Tier

Tencent Cloud Startup Program

Special Offers

Lighthouse Special Offers

Cloud Object Storage Special Offers

Featured Products

New Products

Education

Tencent Cloud Online Education Solutions

Gaming

Gaming Solution

Game Media Solutions

E-commerce

E-commerce retail solutions

Audio & Video

Audio/Video Solution

LVB Recording Solution

Interactive Classroom Solution

Interactive Live Streaming Solution

Audio Chat Social Networking Solution

Financial Services

Financial Services Solution

Compute

Cloud Virtual Machine

Auto Scaling

Batch Compute

CVM Dedicated Host

Database

TencentDB for MySQL

TencentDB for Redis®

TencentDB for CTSDB

TDSQL for MySQL

Data Transfer Service

TencentDB for MongoDB

TencentDB for PostgreSQL

TencentDB for SQL Server

Video Service

Cloud Streaming Services

Video on Demand

Media Processing Service

Cloud Application Rendering

Cloud Contact Center

Game Multimedia Engine

Chat

Real-time Communication

Tencent Effect SDK

AI and Machine Learning

Image Creation Large Model

Face Fusion

eKYC

Optical Character Recognition

Video Creation Large Model

Industry Applications

Tencent HealthCare Omics Platform

Container and Middleware

TDMQ for CKafka

Serverless Cloud Function

Tencent Kubernetes Engine

Tencent Kubernetes Engine for Serverless

Networking

Cloud Load Balancer

Virtual Private Cloud

Direct Connect

Cloud Connect Network

NAT Gateway

VPN Connection

Bandwidth Package

Anycast Internet Acceleration

Elastic Network Interface

Flow Logs

Global Application Acceleration Platform

Security

Captcha

Cloud Workload Protection Platform

Data Security Governance Center

Key Management Service