Securing a Replica Set (KeyFile)

Step-by-step guide to securing a MongoDB replica set using Keyfiles.

This page describes how to setup a Keyfile authentication between members of a replica set.

This guide is for new instances only where no uptime is required. If you want to secure your MongoDB replica set with keyfiles without downtime, see the official documentation.

Generate a keyfile

In this guide, we’ll secure the replica set using a shared keyfile.

To generate a keyfile, run the following command on the first node:

openssl rand -base64 756 > keyfile
chmod 400 keyfile

Place this keyfile in the $MONGO_BASE/admin/$MONGO_INSTANCE/secret directory and copy it to all nodes in the replica set.

On the PRIMARY node, create a dmk user that will be used by the DMK to connect to the instances.

Connect to the PRIMARY node with ms, and run the following commands :

use admin
db.createUser({user:"dmk", pwd:passwordPrompt(), roles:[{role:"root", db:"admin"}]})

Example:

mongodb@vm00:/home/mongodb/ [mdbrs01] ms
test> use admin
switched to db admin
admin> db.createUser({user:"dmk", pwd:passwordPrompt(), roles:[{role:"root", db:"admin"}]})
Enter password
{ ok: 1 }

In the $MONGO_BASE/admin/$MONGO_INSTANCE/secret directory, create a cred.yaml file where the credentials will be stored.

$MONGO_BASE/admin/$MONGO_INSTANCE/secret/cred.yaml

dmk_user: dmk
dmk_pwd: <password>

Change the permissions with chmod 400 cred.yaml. You can now test the credentials with the msp alias.

Stop all nodes, starting with `SECONDARY` nodes

Stop all nodes with mgstop, starting with the secondary nodes. At the end of this step, all members of the replica set should be offline.

# Stopping secondaries
mongodb@vm02:/home/mongodb/ [mdbrs02] mgstop
2025-07-18 08:42:32 | INFO     | Putting MongoDB instance 'mdbrs02' in state 'STOPPED' ...
2025-07-18 08:42:50 | INFO     | MongoDB instance 'mdbrs02' is now 'STOPPED'.

mongodb@vm03:/home/mongodb/ [mdbrs03] mgstop
2025-07-18 08:42:58 | INFO     | Putting MongoDB instance 'mdbrs03' in state 'STOPPED' ...
2025-07-18 08:43:16 | INFO     | MongoDB instance 'mdbrs03' is now 'STOPPED'.

# Stopping primary
mongodb@vm01:/home/mongodb/ [mdbrs01] mgstop
2025-07-18 08:43:20 | INFO     | Putting MongoDB instance 'mdbrs01' in state 'STOPPED' ...
2025-07-18 08:43:30 | INFO     | MongoDB instance 'mdbrs01' is now 'STOPPED'.

Update MongoDB configuration files

On all three nodes, modify the configuration file to include the security.authorization and security.keyFile parameters:

mdbrs01.conf

security:
  authorization: enabled
  keyFile: /u01/app/mongodb/admin/mdbrs01/secret/keyfile

Restart all nodes

You can now restart all nodes, starting with the PRIMARY.

mongodb@vm01:/home/mongodb/ [mdbrs01] mgstart
2025-07-18 08:43:42 | INFO     | Putting MongoDB instance 'mdbrs01' in state 'STARTED' ...
2025-07-18 08:43:45 | INFO     | MongoDB instance 'mdbrs01' is now 'STARTED'.

mongodb@vm02:/home/mongodb/ [mdbrs02] mgstart
2025-07-18 08:43:48 | INFO     | Putting MongoDB instance 'mdbrs02' in state 'STARTED' ...
2025-07-18 08:43:53 | INFO     | MongoDB instance 'mdbrs02' is now 'STARTED'.

mongodb@vm03:/home/mongodb/ [mdbrs03] mgstart
2025-07-18 08:43:54 | INFO     | Putting MongoDB instance 'mdbrs03' in state 'STARTED' ...
2025-07-18 08:43:59 | INFO     | MongoDB instance 'mdbrs03' is now 'STARTED'.

Connect on the primary node with the msp alias, and check the status of the replica set with rs.status(), or directly run the rsta alias :

mongodb@vm01:/home/mongodb/ [mdbrs01] rsta

--------------------------------------------------  Replica Set Status Summary  --------------------------------------------------

INSTANCE                 : mdbrs01
REPLICA SET NAME         : rs01
DATE                     : 2025-07-21T06:00:35.241Z
MEMBER STATE             : PRIMARY
MEMBERS                  :
    NAME                   | STATE       | UPTIME        | LAG      | OPTIME              | HEALTH  | PRIORITY  | SYNC FROM
    vm01:27017             | PRIMARY     | 1m25s         | 0s       | 2025-07-21T06:00:26 | UP      | 2         |
    vm02:27017             | SECONDARY   | 36s           | 0s       | 2025-07-21T06:00:26 | UP      | 1         | vm01:27017
    vm03:27017             | SECONDARY   | 31s           | 0s       | 2025-07-21T06:00:26 | UP      | 1         | vm02:27017

----------------------------------------------------------------------------------------------------------------------------------

You have successfully secured a MongoDB replica set using Keyfiles.

PreviousInstalling Instances for a Replica Set NextHousekeeping

Last updated 3 months ago

hashtagGenerate a keyfile

hashtagStop all nodes, starting with SECONDARY nodes

hashtagUpdate MongoDB configuration files

hashtagRestart all nodes

Generate a keyfile

Stop all nodes, starting with `SECONDARY` nodes

Update MongoDB configuration files

Restart all nodes