DOCSP-3184 steps to deploy encryption at rest v4.4 (#71) (#77)

Dave · web-flow · commit 32b79154fd16 · 2021-11-30T16:18:38.000-05:00
* DOCSP-3184 Steps to deploy encryption at rest * Initial pass finished * broken step refs * Update URLs * Clean up * Internal review feedback * Streamline initial synch steps * Fix ref spacing
diff --git a/source/includes/steps-encrypt-with-rolling-sync.yaml b/source/includes/steps-encrypt-with-rolling-sync.yaml
@@ -0,0 +1,67 @@
+title: Prepare a server.
+stepnum: 1
+ref: "stp-clear-the-data"
+level: 4
+content: |
+
+   Follow these steps to prepare the server: 
+
+   - Pick one of the secondary servers. 
+   - Stop :binary:`~bin.mongod` on the secondary server.
+   - Optional: Backup the data in :setting:`~storage.dbPath`. If a full
+     backup is not required, consider backing up just the
+     ``diagnostic.data`` directory to preserve potentially-useful
+     troubleshooting data in the event of an issue. See :ref:`Full Time
+     Diagnostic Data Capture <ftdc-stub>` for more information.
+   - Remove the files and directories in the
+     :setting:`~storage.dbPath`.
+---
+title: Enable encryption.
+stepnum: 2
+ref: "stp-enable-encryption"
+level: 4
+content: |
+
+   Start the secondary server with :ref:`encryption enabled
+   <encrypt-with-new-key>`. The :binary:`~bin.mongod` instance creates
+   a new keystore.
+---
+title: Synchronize the data.
+stepnum: 3
+ref: "stp-sync-the-data"
+level: 4
+content: |
+
+   Import the data from the primary. :doc:`Start the mongod process
+   </tutorial/manage-mongodb-processes>`, specifying
+   :ref:`cli-mongod-replica-set` as appropriate.
+
+   :binary:`~bin.mongod` performs an initial sync and encrypts the data
+   during the sync up process.
+
+---
+title: Repeat the process on the secondaries.
+stepnum: 4
+ref: "stp-repeat-the-process"
+level: 4
+content: |
+
+   When the first secondary has finished importing and encrypting the
+   data, repeat the process on the other secondary
+   :binary:`~bin.mongod` instances.
+---
+title: Encrypt the primary.
+stepnum: 5
+ref: "stp-encrypt-the-primary"
+level: 4
+content: |
+
+   When the all the secondaries have been encrypted, :method:`step down
+   <rs.stepDown>` the primary. Eligible secondaries will elect a new 
+   primary.
+
+   The old primary is now a secondary. Repeat the steps to remove the
+   unencrypted data and then run an :ref:`initial sync
+   <replica-set-initial-sync>`.
+...
+
diff --git a/source/tutorial/configure-encryption.txt b/source/tutorial/configure-encryption.txt
@@ -15,32 +15,35 @@ Configure Encryption
 Overview
 --------
 
-.. include:: /includes/fact-enterprise-only-admonition.rst
-
-.. important::
-
-   Available for the WiredTiger Storage Engine Only.
-
-.. note:: Changed in version 4.0
-
-
-   .. include:: /includes/fact-aes.rst
+This page discusses server configuration to support encryption at rest.
+If you use `MongoDB Atlas <https://www.mongodb.com/cloud/atlas>`__,
+your data is already encrypted. MongoDB manages Atlas encryption at the
+cloud provider level, but you can also use your own key management
+solution. See the Atlas `key management documentation
+<https://docs.atlas.mongodb.com/security-kms-encryption/>`__ for details.
 
 MongoDB Enterprise 3.2 introduces a native encryption option for the
-WiredTiger storage engine. With storage encryption, the secure
-management of the encryption keys is critical.
+WiredTiger storage engine. Outside Atlas, encryption is only available
+for enterprise installations that use the WiredTiger Storage Engine.
+
+Secure management of the encryption keys is a critical requirement for
+storage encryption. MongoDB uses a master key that is not stored with
+the MongoDB installation. Only the master key is externally managed,
+other keys can be stored with your MongoDB instance.
 
-Only the master key is external to the server and requires external
-management. To manage the master key, MongoDB's encrypted storage
-engine supports two key management options:
+MongoDB's encrypted storage engine supports two key management options
+for the master key:
 
 - Integration with a third party key management appliance via the Key
   Management Interoperability Protocol (KMIP). **Recommended**
-
 - Use of local key management via a keyfile.
 
-The following tutorial outlines the procedures to configure MongoDB for
-encryption and key management.
+.. important::
+
+   MongoDB cannot encrypt existing data. When you enable encryption
+   with a new key, the MongoDB instance cannot have any pre-existing
+   data. If your MongoDB installation already has existing data, see
+   :ref:`encrypt-existing-data` for additional steps.
 
 Key Manager
 -----------
@@ -70,6 +73,10 @@ Prerequisites
 - To authenticate MongoDB to a KMIP server, you must have a valid
   certificate issued by the key management appliance.
 
+.. note:: Changed in version 4.0
+
+   .. include:: /includes/fact-aes.rst
+
 .. _encrypt-with-new-key:
 
 Encrypt Using a New Key
@@ -213,3 +220,21 @@ accessible by the owner of the :binary:`~bin.mongod` process.
 
    :ref:`encryption-key-management-options`
 
+.. _encrypt-existing-data:
+
+Encrypt Existing Data at Rest
+-----------------------------
+
+MongoDB cannot encrypt existing data. When you enable encryption with a
+new key, the MongoDB instance cannot have any pre-existing data.
+
+If you are using a replica set that does have existing data, use a
+rolling :ref:`initial sync <replica-set-initial-sync>` to encrypt the
+data. 
+
+For example, consider a replica set with three members. The replica set
+is in use and holds data that you want to encrypt. These are the steps
+you would take to encrypt the data at rest:
+
+.. include:: /includes/steps/encrypt-with-rolling-sync.rst
+
