Navigation

Enable and Configure Encryption at Rest using Customer Key Management for One Project

Note

Groups and projects are synonymous terms. Your {GROUP-ID} is the same as your project ID. For existing groups, your group/project ID remains the same. The resource and corresponding endpoints use the term groups.

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Enables, disables, and configures Encryption at Rest using Customer Key Management for an Atlas project with one of the following providers:

After configuring at least one Encryption at Rest using Customer Key Management provider for the Atlas project, Project Owners can enable Encryption at Rest using Customer Key Management for each Atlas cluster for which they require encryption. The Encryption at Rest using Customer Key Management provider does not have to match the cluster cloud service provider.

Atlas does not automatically rotate user-managed encryption keys. Defer to your preferred Encryption at Rest using Customer Key Management provider’s documentation and guidance for best practices on key rotation. Atlas automatically creates a 365-day key rotation alert when you configure Encryption at Rest using Customer Key Management using your Key Management in an Atlas project.

Note

Atlas encrypts all storage whether or not you use your own key management.

See also

To learn more about key management, see Encryption at Rest using Customer Key Management, including prerequisites and restrictions.

The Atlas API uses HTTP Digest Authentication. Provide a programmatic API public key and corresponding private key as the username and password when constructing the HTTP request.

For complete documentation on configuring API access for an Atlas project, see Configure Atlas API Access.

Base URL: https://cloud.mongodb.com/api/atlas/v1.0

Syntax

PATCH /groups/{PROJECT-ID}/encryptionAtRest

Request Path Parameters

Path Element Necessity Description
PROJECT-ID Required Unique identifier for the project.

Request Query Parameters

This endpoint might use any of the HTTP request query parameters available to all Atlas API resources. All of these are optional.

Name Type Necessity Description Default
pretty boolean Optional Flag indicating whether the response body should be in a prettyprint format. false
envelope boolean Optional

Flag indicating if Cloud Manager should wrap the response in a JSON envelope.

This option may be needed for some API clients. These clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query.

For endpoints that return one result, the response body includes:

status HTTP response code
envelope Expected response body
false

Request Body Parameters

The required request body parameters depend on whether Encryption at Rest using Customer Key Management is currently enabled:

  • If you have enabled Encryption at Rest using Customer Key Management, Atlas requires all of the parameters for the desired encryption provider.
    • If you want to use AWS KMS, Atlas requires all the fields in the awsKms document.
    • If you want to use Azure Key Vault, Atlas requires all the fields in the azureKeyVault document.
    • If you want to use Google Cloud KMS, Atlas requires all the fields in the googleCloudKms document.
  • If you have enabled Encryption at Rest using Customer Key Management, administrators can pass only the changed fields for the awsKms, azureKeyVault, or googleCloudKms document to update the configuration to this endpoint.
Name Type Necessity Description
awsKms object Required AWS KMS configuration details and whether Encryption at Rest using Customer Key Management is enabled for an Atlas project.
awsKms
.accessKeyID
string Optional IAM access key ID with permissions to access the customer master key (awsKms.customerMasterKeyID).
awsKms
.customerMasterKeyID
string Optional AWS customer master key used to encrypt and decrypt the MongoDB master keys.
awsKms
.enabled
boolean Optional Flag that indicates whether Encryption at Rest using Customer Key Management is enabled for an Atlas project. To disable Encryption at Rest using Customer Key Management, pass only this parameter with a value of false. When you disable Encryption at Rest using Customer Key Management, Atlas removes the configuration details.
awsKms
.region
string Optional

AWS region in which the AWS customer master key exists:

  • CA_CENTRAL_1
  • US_EAST_1
  • US_EAST_2
  • US_WEST_1
  • US_WEST_2
  • SA_EAST_1
  • AP_NORTHEAST_1
  • AP_NORTHEAST_2
  • AP_SOUTH_1
  • AP_SOUTHEAST_1
  • AP_SOUTHEAST_2
  • EU_CENTRAL_1
  • EU_WEST_1
  • EU_WEST_2
  • EU_WEST_3
awsKms
.secretAccessKey
string Optional IAM secret access key with permissions to access the customer master key (awsKms.customerMasterKeyID).
Name Type Necessity Description
azureKeyVault object Required AKV configuration details and whether Encryption at Rest using Customer Key Management is enabled for an Atlas project.
azureKeyVault
.azureEnvironment
string Optional

Azure environment where the Azure account credentials reside. Valid values are the following:

  • AZURE
  • AZURE_CHINA
  • AZURE_GERMANY
azureKeyVault
.clientID
string Optional Client ID, also known as the application ID, for an Azure application associated with the Azure AD tenant.
azureKeyVault
.enabled
boolean Required Flag that indicates whether Encryption at Rest using Customer Key Management is enabled for an Atlas project. To disable Encryption at Rest using Customer Key Management, pass only this parameter with a value of false. When you disable Encryption at Rest using Customer Key Management, Atlas also removes the configuration details.
azureKeyVault
.keyIdentifier
string Optional Unique identifier of a key in an AKV.
azureKeyVault
.keyVaultName
string Optional Name of an AKV containing your key.
azureKeyVault
.resourceGroupName
string Optional Name of the Azure Resource group that contains an AKV.
azureKeyVault
.secret
string Optional Secret associated with the AKV (azureKeyVault.tenantID).
azureKeyVault
.subscriptionID
string Optional Unique identifier associated with an Azure subscription.
azureKeyVault
.tenantID
string Optional Unique identifier for an Azure AD tenant within an Azure subscription.
Name Type Necessity Description
googleCloudKms object Required GCP KMS configuration details and whether Encryption at Rest using Customer Key Management is enabled for an Atlas project.
googleCloudKms
.enabled
boolean Required Flag that indicates whether Encryption at Rest using Customer Key Management is enabled for an Atlas project. To disable Encryption at Rest using Customer Key Management, pass only this parameter with a value of false. When you disable Encryption at Rest using Customer Key Management, Atlas also removes the configuration details.
googleCloudKms
.serviceAccountKey
string Optional

String-formatted JSON object containing GCP KMS credentials from your GCP account.

Note

Your Service Account Key is a JSON object, but it must be formatted as a string for API call purposes.

See also

To learn more about authentication, see the GCP documentation.

googleCloudKms
.keyVersionResourceID
string Optional Key Version Resource ID from your GCP account.

Response

Name Type Description
awsKms object Specifies whether Encryption at Rest using Customer Key Management is enabled for an Atlas project and the AWS KMS configuration details.
awsKms
.accessKeyID
string IAM access key ID with permissions to access the customer master key (awsKms.customerMasterKeyID).
awsKms
.customerMasterKeyID
string AWS customer master key used to encrypt and decrypt the MongoDB master keys.
awsKms
.enabled
boolean Flag that indicates whether Encryption at Rest using Customer Key Management is enabled for an Atlas project.
awsKms
.region
string AWS region in which the AWS customer master key exists.
awsKms
.valid
boolean Specifies whether the encryption key set for the provider is valid and may be used to encrypt and decrypt data. This field is a system-controlled status report and is read-only.
Name Type Description
azureKeyVault object Specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.
azureKeyVault.azureEnvironment string The Azure environment where the Azure account credentials reside.
azureKeyVault.clientID string The client ID, also known as the application ID, for an Azure application associated with the Azure AD tenant.
azureKeyVault.enabled boolean Specifies whether Encryption at Rest is enabled for an Atlas project and the Azure Key Vault configuration details.
azureKeyVault.keyIdentifier string The unique identifier of a key in an Azure Key Vault.
azureKeyVault.keyVaultName string The name of an Azure Key Vault containing your key.
azureKeyVault.resourceGroupName string The name of the Azure Resource group that contains an Azure Key Vault.
azureKeyVault.subscriptionID string The unique identifier associated with an Azure subscription.
azureKeyVault.tenantID string Unique identifier for an Azure AD tenant within an Azure subscription.
azureKeyVault.valid boolean Specifies whether the encryption key set for the provider is valid and may be used to encrypt and decrypt data. This field is a system-controlled status report and is read-only.
Name Type Description
googleCloudKms.enabled boolean Specifies whether Encryption at Rest is enabled for an Atlas project using Google Cloud KMS.
googleCloudKms.keyVersionResourceID string Key Version Resource ID for your Google Cloud KMS.
googleCloudKms.valid boolean Specifies whether the encryption key set for the provider is valid and may be used to encrypt and decrypt data. This field is a system-controlled status report and is read-only.

Example Request

Enable {encrypt-at-rest}

The following example enables and configures Encryption at Rest using Customer Key Management for an Atlas project using AWS KMS:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
     --header "Accept: application/json" \
     --header "Content-Type: application/json" \
     --request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/{PROJECT-ID}/encryptionAtRest?pretty=true" \
     --data '
       {
         "awsKms": {
           "enabled": true,
           "accessKeyID" : "AKIAIOSFODNN7EXAMPLE",
           "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
           "customerMasterKeyID" : "030gce02-586d-48d2-a966-05ea954fde0g",
           "region" : "US_EAST_1"
         }
       }'

The following example enables and configures Encryption at Rest using Customer Key Management for an Atlas project using Azure Key Vault:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
     --header "Accept: application/json" \
     --header "Content-Type: application/json" \
     --request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/6cbbae2187d9d675e009g35f/encryptionAtRest?pretty=true" \
     --data '
       {
         "azureKeyVault" : {
           "enabled" : true,
           "clientID" : "g54f9e2-89e3-40fd-8188-EXAMPLEID",
           "azureEnvironment" : "AZURE",
           "subscriptionID" : "0ec944e3-g725-44f9-a147-EXAMPLEID",
           "resourceGroupName" : "ExampleRGName",
           "keyVaultName" : "EXAMPLEKeyVault",
           "keyIdentifier" : "https://EXAMPLEKeyVault.vault.azure.net/keys/EXAMPLEKey/d891821e3d364e9eb88fbd3d11807b86",
           "secret" : "EXAMPLESECRET",
           "tenantID" : "e8e4b6ba-ff32-4c88-a9af-EXAMPLEID"
         }
       }'

The following example enables and configures Encryption at Rest using Customer Key Management for an Atlas project using GCP KMS.

Note

The serviceAccountKey JSON object must be formatted as a string for API call purposes.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
     --header "Accept: application/json" \
     --header "Content-Type: application/json" \
     --request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/6cbbae2187d675e009g35f/encryptionAtRest?pretty=true" \
     --data '
       {
         "googleCloudKms" : {
           "enabled" : true,
           "serviceAccountKey":
              "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}",
           "keyVersionResourceID": "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1"
          }
       }'

Disable {encrypt-at-rest}

The following example disables Encryption at Rest using Customer Key Management for an Atlas project:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
     --header "Accept: application/json" \
     --header "Content-Type: application/json" \
     --request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/{PROJECT-ID}/encryptionAtRest?pretty=true" \
     --data '
       {
         "awsKms": {
           "enabled" : false
         }
       }'

Example Response

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
{
  "awsKms" : {
    "accessKeyID" : "AKIAIOSFODNN7EXAMPLE",
    "customerMasterKeyID" : "030gce02-586d-48d2-a966-05ea954fde0g",
    "enabled" : true,
    "region" : "US_EAST_1",
    "valid" : true
  },
  "azureKeyVault" : {
    "clientID" : null,
    "enabled" : false,
    "keyIdentifier" : null,
    "keyVaultName" : null,
    "resourceGroupName" : null,
    "subscriptionID" : null,
    "tenantID" : null,
    "valid" : false
  }
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
{
  "awsKms" : {
    "accessKeyID" : null,
    "customerMasterKeyID" : null,
    "enabled" : false,
    "region" : null,
    "valid" : false
  },
  "azureKeyVault" : {
    "enabled" : true,
    "clientID" : "g54f9e2-89e3-40fd-8188-EXAMPLEID",
    "azureEnvironment" : "AZURE",
    "subscriptionID" : "0ec944e3-g725-44f9-a147-EXAMPLEID",
    "resourceGroupName" : "ExampleRGName",
    "keyVaultName" : "EXAMPLEKeyVault",
    "keyIdentifier" : "https://EXAMPLEKeyVault.vault.azure.net/keys/EXAMPLEKey/d891821e3d364e9eb88fbd3d11807b86",
    "tenantID" : "e8e4b6ba-ff32-4c88-a9af-dc17efegdf63"
  }
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{
  "awsKms" : {
    "accessKeyID" : null,
    "customerMasterKeyID" : null,
    "enabled" : false,
    "region" : null,
    "valid" : false
  },
  "azureKeyVault" : {
    "clientID" : null,
    "enabled" : false,
    "keyIdentifier" : null,
    "keyVaultName" : null,
    "resourceGroupName" : null,
    "subscriptionID" : null,
    "tenantID" : null,
    "valid" : false
  },
  "googleCloudKms" : {
    "enabled": true,
    "keyVersionResourceID" : "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1"
    "valid" : true
  }
}

Disable {encrypt-at-rest}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{
  "awsKms" : {
    "accessKeyID" : null,
    "customerMasterKeyID" : null,
    "enabled" : false,
    "region" : null,
    "valid" : false
  },
  "azureKeyVault" : {
    "clientID" : null,
    "enabled" : false,
    "keyIdentifier" : null,
    "keyVaultName" : null,
    "resourceGroupName" : null,
    "subscriptionID" : null,
    "tenantID" : null,
    "valid" : false
  },
  "googleCloudKms" : {
    "enabled": false,
    "keyVersionResourceID" : null,
    "valid" : false
  }
}