diff --git a/docs/data-at-rest-encryption.md b/docs/data-at-rest-encryption.md index 42510888e..5b39d16dc 100644 --- a/docs/data-at-rest-encryption.md +++ b/docs/data-at-rest-encryption.md @@ -1,8 +1,8 @@ # Encryption at Rest -Encryption at rest should be used with data in transit encryption and policies that protect accounts, passwords, and encryption keys. When implemented well, encryption at rest helps organizations to comply with security and privacy standards like HIPAA, PCI-DSS, GDPR, and FIPS, ensuring sensitive data is protected both when it's being transmitted and when it's stored. +Encryption at rest should be used together with data in transit encryption and policies that protect accounts, passwords, and encryption keys. When implemented well, encryption at rest helps organizations comply with security and privacy standards like HIPAA, PCI-DSS, GDPR, and FIPS, ensuring sensitive data is protected both when it's being transmitted and when it's stored. -Data encryption at rest was introduced in Percona Server for MongoDB 3.6 and is fully compatible with MongoDB's encryption interface. Percona Server for MongoDB supports the following Key Management System (KMS) integrations: +Data encryption at rest was first introduced in Percona Server for MongoDB 3.6 and is fully compatible with MongoDB's encryption interface. Percona Server for MongoDB supports the following Key Management System (KMS) integrations: * [HashiCorp Vault](vault.md) * [OpenBao](openbao.md) @@ -12,9 +12,9 @@ Data encryption at rest was introduced in Percona Server for MongoDB 3.6 and is !!! important - You can only enable data at rest encryption and provide all encryption settings on an empty database, when you start the `mongod` instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and / or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must be the same. + You can only enable data at rest encryption on an empty database when you start the `mongod` instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and/or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must remain the same. -Each node of Percona Server for MongoDB generates a random, individual key for every database. It encrypts every database with an individual key and puts those keys into the special, so-called key database. Then each node of Percona Server for MongoDB randomly generates a unique master encryption key and encrypts the key database with this key. +Percona Server for MongoDB uses a two-level key hierarchy. It encrypts each database with an individual key, and puts those keys into a special, so-called "key database". Then, Percona Server for MongoDB uses a master encryption key, provided and managed via the configured key management option, to encrypt the key database. Thus, two types of keys are used for data at rest encryption: @@ -22,6 +22,10 @@ Thus, two types of keys are used for data at rest encryption: * The master key to encrypt database keys. It is kept separately from the data and database keys and requires external management. +!!! important + + Each node of a replica set uses the same master key to encrypt the key database. + To manage the master encryption key, use one of the supported key management options: * Integration with an external key server (recommended). Percona Server for MongoDB is [integrated with HashiCorp Vault](vault.md) and [OpenBao](openbao.md) for this purpose. It also supports the secure transfer of keys using [Key Management Interoperability Protocol (KMIP)](kmip.md). diff --git a/docs/lifecycle.md b/docs/lifecycle.md new file mode 100644 index 000000000..7432e34c7 --- /dev/null +++ b/docs/lifecycle.md @@ -0,0 +1,3 @@ +# Percona Software and Platform Lifecycle + +See the [Percona Release Lifecycle Overview](https://www.percona.com/services/policies/percona-software-support-lifecycle#mongodb) for information about support and platform end-of-life dates diff --git a/mkdocs-base.yml b/mkdocs-base.yml index 1c093cea1..7dd99040a 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -263,4 +263,5 @@ nav: - telemetry.md - copyright.md - trademark-policy.md + - "Percona Software and Platform Lifecycle": "lifecycle.md" - Join Percona Squad: "https://squad.percona.com/mongodb"