From 9b31d49dc3f6eeb5919dfa36c78dda2008c8cc89 Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Thu, 12 Mar 2026 08:10:49 -0300 Subject: [PATCH 01/10] Refine wording on data at rest encryption details Clarified language regarding data at rest encryption and key management in Percona Server for MongoDB documentation. --- docs/data-at-rest-encryption.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/data-at-rest-encryption.md b/docs/data-at-rest-encryption.md index 42510888e..9a4599c2c 100644 --- a/docs/data-at-rest-encryption.md +++ b/docs/data-at-rest-encryption.md @@ -1,8 +1,8 @@ # Encryption at Rest -Encryption at rest should be used with data in transit encryption and policies that protect accounts, passwords, and encryption keys. When implemented well, encryption at rest helps organizations to comply with security and privacy standards like HIPAA, PCI-DSS, GDPR, and FIPS, ensuring sensitive data is protected both when it's being transmitted and when it's stored. +Encryption at rest should be used together with data in transit encryption and policies that protect accounts, passwords, and encryption keys. When implemented well, encryption at rest helps organizations comply with security and privacy standards like HIPAA, PCI-DSS, GDPR, and FIPS, ensuring sensitive data is protected both when it's being transmitted and when it's stored. -Data encryption at rest was introduced in Percona Server for MongoDB 3.6 and is fully compatible with MongoDB's encryption interface. Percona Server for MongoDB supports the following Key Management System (KMS) integrations: +Data encryption at rest was first introduced in Percona Server for MongoDB 3.6 and is fully compatible with MongoDB's encryption interface. Percona Server for MongoDB supports the following Key Management System (KMS) integrations: * [HashiCorp Vault](vault.md) * [OpenBao](openbao.md) @@ -12,16 +12,20 @@ Data encryption at rest was introduced in Percona Server for MongoDB 3.6 and is !!! important - You can only enable data at rest encryption and provide all encryption settings on an empty database, when you start the `mongod` instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and / or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must be the same. + You can only enable data at rest encryption on an empty database, when you start the `mongod` instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and / or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must remain the same. -Each node of Percona Server for MongoDB generates a random, individual key for every database. It encrypts every database with an individual key and puts those keys into the special, so-called key database. Then each node of Percona Server for MongoDB randomly generates a unique master encryption key and encrypts the key database with this key. +Percona Server for MongoDB uses a two-level key hierarchy. It encrypts each database with an individual key, and puts those keys into a special, so-called "key database". Then, Percona Server for MongoDB randomly generates a unique master encryption key and encrypts the key database with this key. Thus, two types of keys are used for data at rest encryption: * Database keys to encrypt data. They are stored internally, near the data that they encrypt. -* The master key to encrypt database keys. It is kept separately from the data and database keys and requires external management. +* Master key to encrypt database keys. It is kept separately from the data and database keys and requires external management. +!!! important + + Each node of a replica set uses the same Master key to encrypt the key database. + To manage the master encryption key, use one of the supported key management options: * Integration with an external key server (recommended). Percona Server for MongoDB is [integrated with HashiCorp Vault](vault.md) and [OpenBao](openbao.md) for this purpose. It also supports the secure transfer of keys using [Key Management Interoperability Protocol (KMIP)](kmip.md). From 45be16da0e705daf7023723dbf6d0dea6afd9eca Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Thu, 19 Mar 2026 11:26:13 -0300 Subject: [PATCH 02/10] Create lifecycle.md --- docs/release_notes/lifecycle.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 docs/release_notes/lifecycle.md diff --git a/docs/release_notes/lifecycle.md b/docs/release_notes/lifecycle.md new file mode 100644 index 000000000..7b7abaed7 --- /dev/null +++ b/docs/release_notes/lifecycle.md @@ -0,0 +1,3 @@ +## Percona Software and Platform Lifecycle + +See the [Percona Release Lifecycle Overview](https://www.percona.com/services/policies/percona-software-support-lifecycle#mongodb) for information about support and platform end-of-life dates From 2b671cc95ce46d7ce56580f4152c59afe5b10245 Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Thu, 19 Mar 2026 11:34:32 -0300 Subject: [PATCH 03/10] Update lifecycle.md --- docs/release_notes/lifecycle.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release_notes/lifecycle.md b/docs/release_notes/lifecycle.md index 7b7abaed7..7432e34c7 100644 --- a/docs/release_notes/lifecycle.md +++ b/docs/release_notes/lifecycle.md @@ -1,3 +1,3 @@ -## Percona Software and Platform Lifecycle +# Percona Software and Platform Lifecycle See the [Percona Release Lifecycle Overview](https://www.percona.com/services/policies/percona-software-support-lifecycle#mongodb) for information about support and platform end-of-life dates From 59d540cf9dde4818d99edb97db49fa83e43842fd Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Thu, 19 Mar 2026 11:38:39 -0300 Subject: [PATCH 04/10] Update mkdocs-base.yml --- mkdocs-base.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mkdocs-base.yml b/mkdocs-base.yml index 1c093cea1..2fbf9a871 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -250,6 +250,7 @@ nav: - install/uninstall.md - Release notes: - "Release notes index": "release_notes/index.md" + - release_notes/lifecycle.md - release_notes/8.0.19-7.md - release_notes/8.0.17-6.md - release_notes/8.0.16-5.md From 17c9942af67447135ab169450c474728b7b1c294 Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Thu, 19 Mar 2026 12:01:38 -0300 Subject: [PATCH 05/10] Delete docs/release_notes/lifecycle.md --- docs/release_notes/lifecycle.md | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 docs/release_notes/lifecycle.md diff --git a/docs/release_notes/lifecycle.md b/docs/release_notes/lifecycle.md deleted file mode 100644 index 7432e34c7..000000000 --- a/docs/release_notes/lifecycle.md +++ /dev/null @@ -1,3 +0,0 @@ -# Percona Software and Platform Lifecycle - -See the [Percona Release Lifecycle Overview](https://www.percona.com/services/policies/percona-software-support-lifecycle#mongodb) for information about support and platform end-of-life dates From 2ddfc7f7357ecc524d1e08fd8ee73e62aebcf90f Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Thu, 19 Mar 2026 12:02:19 -0300 Subject: [PATCH 06/10] Add Percona Software and Platform Lifecycle documentation --- docs/lifecycle.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 docs/lifecycle.md diff --git a/docs/lifecycle.md b/docs/lifecycle.md new file mode 100644 index 000000000..7432e34c7 --- /dev/null +++ b/docs/lifecycle.md @@ -0,0 +1,3 @@ +# Percona Software and Platform Lifecycle + +See the [Percona Release Lifecycle Overview](https://www.percona.com/services/policies/percona-software-support-lifecycle#mongodb) for information about support and platform end-of-life dates From 0e5955dd7ee011ab87ae60396afee77b86b09801 Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Thu, 19 Mar 2026 12:04:27 -0300 Subject: [PATCH 07/10] Update mkdocs-base.yml --- mkdocs-base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs-base.yml b/mkdocs-base.yml index 2fbf9a871..7dd99040a 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -250,7 +250,6 @@ nav: - install/uninstall.md - Release notes: - "Release notes index": "release_notes/index.md" - - release_notes/lifecycle.md - release_notes/8.0.19-7.md - release_notes/8.0.17-6.md - release_notes/8.0.16-5.md @@ -264,4 +263,5 @@ nav: - telemetry.md - copyright.md - trademark-policy.md + - "Percona Software and Platform Lifecycle": "lifecycle.md" - Join Percona Squad: "https://squad.percona.com/mongodb" From 2ea28510722891f0dcc62bc7cda8623a5e0d49fb Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 2 Apr 2026 11:36:41 +0530 Subject: [PATCH 08/10] Update docs/data-at-rest-encryption.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/data-at-rest-encryption.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/data-at-rest-encryption.md b/docs/data-at-rest-encryption.md index 9a4599c2c..61812b20d 100644 --- a/docs/data-at-rest-encryption.md +++ b/docs/data-at-rest-encryption.md @@ -14,7 +14,7 @@ Data encryption at rest was first introduced in Percona Server for MongoDB 3.6 a You can only enable data at rest encryption on an empty database, when you start the `mongod` instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and / or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must remain the same. -Percona Server for MongoDB uses a two-level key hierarchy. It encrypts each database with an individual key, and puts those keys into a special, so-called "key database". Then, Percona Server for MongoDB randomly generates a unique master encryption key and encrypts the key database with this key. +Percona Server for MongoDB uses a two-level key hierarchy. It encrypts each database with an individual key, and puts those keys into a special, so-called "key database". Then, Percona Server for MongoDB uses a master encryption key, provided and managed via the configured key management option, to encrypt the key database. Thus, two types of keys are used for data at rest encryption: From 3ae3827a7295b9b0d3abefc07cca87c104fccbf6 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 2 Apr 2026 11:36:51 +0530 Subject: [PATCH 09/10] Update docs/data-at-rest-encryption.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/data-at-rest-encryption.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/data-at-rest-encryption.md b/docs/data-at-rest-encryption.md index 61812b20d..63d4e9d79 100644 --- a/docs/data-at-rest-encryption.md +++ b/docs/data-at-rest-encryption.md @@ -20,11 +20,11 @@ Thus, two types of keys are used for data at rest encryption: * Database keys to encrypt data. They are stored internally, near the data that they encrypt. -* Master key to encrypt database keys. It is kept separately from the data and database keys and requires external management. +* The master key to encrypt database keys. It is kept separately from the data and database keys and requires external management. !!! important - Each node of a replica set uses the same Master key to encrypt the key database. + Each node of a replica set uses the same master key to encrypt the key database. To manage the master encryption key, use one of the supported key management options: From faf99fc4e7cf0549868ba005b6f879982daf321d Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 2 Apr 2026 11:36:59 +0530 Subject: [PATCH 10/10] Update docs/data-at-rest-encryption.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/data-at-rest-encryption.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/data-at-rest-encryption.md b/docs/data-at-rest-encryption.md index 63d4e9d79..5b39d16dc 100644 --- a/docs/data-at-rest-encryption.md +++ b/docs/data-at-rest-encryption.md @@ -12,7 +12,7 @@ Data encryption at rest was first introduced in Percona Server for MongoDB 3.6 a !!! important - You can only enable data at rest encryption on an empty database, when you start the `mongod` instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and / or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must remain the same. + You can only enable data at rest encryption on an empty database when you start the `mongod` instance for the first time. You cannot enable or disable encryption while the Percona Server for MongoDB server is already running and/or has some data. Nor can you change the effective encryption mode by simply restarting the server. Every time you restart the server, the encryption settings must remain the same. Percona Server for MongoDB uses a two-level key hierarchy. It encrypts each database with an individual key, and puts those keys into a special, so-called "key database". Then, Percona Server for MongoDB uses a master encryption key, provided and managed via the configured key management option, to encrypt the key database.