Navigation

Manage Your Own Encryption Keys

On this page

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas encrypts all cluster storage and snapshot volumes, ensuring the security of all cluster data at rest (Encryption at Rest). Atlas Project Owners can configure an additional layer of encryption on their data at rest using the MongoDB Encrypted Storage Engine and their Atlas-compatible Encryption at Rest provider.

Image showing KMS selection

Atlas supports the following Encryption at Rest providers:

Prerequisites

Procedure

To enable Atlas Encryption at Rest for this cluster, toggle Encryption using your Key Management (M10 and up) to Yes.

Atlas Encryption at Rest using your Key Management supports M10 or greater replica set clusters backed by AWS or Azure only. Support for clusters deployed on Google Cloud Platform (GCP) is in development. Atlas Encryption at Rest supports encrypting Cloud Provider Snapshots only. You cannot enable Encryption at Rest on a cluster using Continuous Backups.

Atlas clusters using Encryption at Rest using your Key Management incur an increase to their hourly run cost. For more information on Atlas billing for advanced security features, see Advanced Security.

Important

If Atlas cannot access the Atlas project key management provider or the encryption key used to encrypt a cluster, then that cluster becomes inaccessible and unrecoverable. Exercise extreme caution before modifying, deleting, or disabling an encryption key or key management provider credentials used by Atlas.