# Securing a Replica Set (KeyFile) This page describes how to setup a **Keyfile authentication** between members of a replica set. {% hint style="warning" %} This guide is for new instances only where no uptime is required. If you want to secure your MongoDB replica set with keyfiles without downtime, see the [official documentation](https://www.mongodb.com/docs/manual/tutorial/enforce-keyfile-access-control-in-existing-replica-set-without-downtime/). {% endhint %} #### Generate a keyfile In this guide, we’ll secure the replica set using a shared keyfile. To generate a keyfile, run the following command on the first node: ```bash openssl rand -base64 756 > keyfile chmod 400 keyfile ``` Place this `keyfile` in the `$MONGO_BASE/admin/$MONGO_INSTANCE/secret` directory and copy it to all nodes in the replica set. On the `PRIMARY` node, create a `dmk` user that will be used by the DMK to connect to the instances. Connect to the `PRIMARY` node with `ms`, and run the following commands : ```js use admin db.createUser({user:"dmk", pwd:passwordPrompt(), roles:[{role:"root", db:"admin"}]}) ``` Example: ```bash mongodb@vm00:/home/mongodb/ [mdbrs01] ms test> use admin switched to db admin admin> db.createUser({user:"dmk", pwd:passwordPrompt(), roles:[{role:"root", db:"admin"}]}) Enter password { ok: 1 } ``` In the `$MONGO_BASE/admin/$MONGO_INSTANCE/secret` directory, create a `cred.yaml` file where the credentials will be stored. {% code title="$MONGO\_BASE/admin/$MONGO\_INSTANCE/secret/cred.yaml" overflow="wrap" lineNumbers="true" %} ```yaml dmk_user: dmk dmk_pwd: ``` {% endcode %} Change the permissions with `chmod 400 cred.yaml`. You can now test the credentials with the `msp` alias. #### Stop all nodes, starting with `SECONDARY` nodes Stop all nodes with `mgstop`, **starting with the secondary nodes**. At the end of this step, all members of the replica set should be offline. ```bash # Stopping secondaries mongodb@vm02:/home/mongodb/ [mdbrs02] mgstop 2025-07-18 08:42:32 | INFO | Putting MongoDB instance 'mdbrs02' in state 'STOPPED' ... 2025-07-18 08:42:50 | INFO | MongoDB instance 'mdbrs02' is now 'STOPPED'. mongodb@vm03:/home/mongodb/ [mdbrs03] mgstop 2025-07-18 08:42:58 | INFO | Putting MongoDB instance 'mdbrs03' in state 'STOPPED' ... 2025-07-18 08:43:16 | INFO | MongoDB instance 'mdbrs03' is now 'STOPPED'. ``` ```bash # Stopping primary mongodb@vm01:/home/mongodb/ [mdbrs01] mgstop 2025-07-18 08:43:20 | INFO | Putting MongoDB instance 'mdbrs01' in state 'STOPPED' ... 2025-07-18 08:43:30 | INFO | MongoDB instance 'mdbrs01' is now 'STOPPED'. ``` #### Update MongoDB configuration files **On all three nodes**, modify the configuration file to include the `security.authorization` and `security.keyFile` parameters: {% code title="mdbrs01.conf" overflow="wrap" lineNumbers="true" %} ```yaml security: authorization: enabled keyFile: /u01/app/mongodb/admin/mdbrs01/secret/keyfile ``` {% endcode %} #### Restart all nodes You can now restart all nodes, starting with the `PRIMARY`. ```bash mongodb@vm01:/home/mongodb/ [mdbrs01] mgstart 2025-07-18 08:43:42 | INFO | Putting MongoDB instance 'mdbrs01' in state 'STARTED' ... 2025-07-18 08:43:45 | INFO | MongoDB instance 'mdbrs01' is now 'STARTED'. mongodb@vm02:/home/mongodb/ [mdbrs02] mgstart 2025-07-18 08:43:48 | INFO | Putting MongoDB instance 'mdbrs02' in state 'STARTED' ... 2025-07-18 08:43:53 | INFO | MongoDB instance 'mdbrs02' is now 'STARTED'. mongodb@vm03:/home/mongodb/ [mdbrs03] mgstart 2025-07-18 08:43:54 | INFO | Putting MongoDB instance 'mdbrs03' in state 'STARTED' ... 2025-07-18 08:43:59 | INFO | MongoDB instance 'mdbrs03' is now 'STARTED'. ``` Connect on the primary node with the `msp` alias, and check the status of the replica set with `rs.status()`, or directly run the `rsta` alias : ```bash mongodb@vm01:/home/mongodb/ [mdbrs01] rsta -------------------------------------------------- Replica Set Status Summary -------------------------------------------------- INSTANCE : mdbrs01 REPLICA SET NAME : rs01 DATE : 2025-07-21T06:00:35.241Z MEMBER STATE : PRIMARY MEMBERS : NAME | STATE | UPTIME | LAG | OPTIME | HEALTH | PRIORITY | SYNC FROM vm01:27017 | PRIMARY | 1m25s | 0s | 2025-07-21T06:00:26 | UP | 2 | vm02:27017 | SECONDARY | 36s | 0s | 2025-07-21T06:00:26 | UP | 1 | vm01:27017 vm03:27017 | SECONDARY | 31s | 0s | 2025-07-21T06:00:26 | UP | 1 | vm02:27017 ---------------------------------------------------------------------------------------------------------------------------------- ``` {% hint style="success" %} You have successfully secured a MongoDB replica set using Keyfiles. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dbi-services.gitbook.io/dmk-mongodb/replica-sets/securing_replica_set_key_file.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.