Rocket.chat: MongoDB Encryption At Rest

Have you seen this https://docs.mongodb.org/manual/core/security-encryption-at-rest/ ?

What is the error you are getting with OTR?

Hi i already seen https://docs.mongodb.org/manual/core/security-encryption-at-rest/ but it seems to be only available for enterprise mongodb.

Theres a bubble appearing in the top right corner but with no content. After some seconds i receive a timeout.
Does the client need to communicate with the mongodb directly?
We drop every package for the mongodb default port which is not from the server where rocket.chat is running. That means if my computer tries to connect to the mongodb i get a timeout due to iptables rule.

Kind regards,

No, the client never talks to the DB directly. It is all done via the server.
The key sharing actually doens't even go via DB, its is a memory stream only, so this may be the problem. We are working on new versions of Encryption that will store the encryption keys on the server, protected by by a passphrase. It will be less secure in some respects, but more stable and grater usability.

And what can we do now to encrypt the messages in the database?
Load own javascript to encrypt and decrypt?

Unless you're using 3.2 and on the enterprise mongo $ subscription... third party encrypted-volume solutions as that article suggests - LUKS for Linux - something like https://www.digitalocean.com/community/tutorials/how-to-use-dm-crypt-to-create-an-encrypted-volume-on-an-ubuntu-vps

We have not tested this, and do not know the performance characteristics.

We actually didnt want to use LUKS or similar.

And like you said: its untested

We have not tested this, and do not know the performance characteristics.

We are in the same situation as @hExPY. We would be happy to put some work and time in on this, but we don't know if this is something that would be merged in.

Is this a feature that there is interest in pursuing?

_P.S. Using an only encrypted volume does not meet our policies, and we also have had issues with OTC consistently working_

Hi @thecanadianbaker, this is definitely something we would love to merge into the main project if you are interested in collaborating.

Would be great if messages are being encrypted before they are stored in the database, so that nobody can read our database backups.

With EU's GDPR, this feature would be very welcome.

I confirm, in connection with the forthcoming legal regulations, currently the only problem that prevents us from implementing Rocketchat in the company is the lack of encryption of messages stored in the database.

@rocket-cat label add "Feature: Request"

Has this made it into any road map/milestone?

When something like this is in feature request phase. It means it has not made it on our roadmap. It means its been requested but not planned yet.

For encryption at rest we have the 2 options:

• Encrypted Storage Engine in version >3.2 and Available in MongoDB Enterprise only. https://docs.mongodb.org/manual/core/security-encryption-at-rest/
• LUKS for Linux - third party encrypted-volume solutions as that article suggests https://www.digitalocean.com/community/tutorials/how-to-use-dm-crypt-to-create-an-encrypted-volume-on-an-ubuntu-vps

The E2E encryption is coming on this PR https://github.com/RocketChat/Rocket.Chat/pull/10094