Navigation
  • FAQ >
  • Security

Security

How does Atlas encrypt my data?

Atlas uses whole volume (disk) encryption for any data at rest, including your cluster data and backups of that data.

Atlas also requires TLS encryption for client data and intra-cluster network communications.

If your organization requires more specific information regarding Atlas encryption, please contact Atlas MongoDB Support. From the Atlas project or cluster view, click Support in the left-hand navigation bar.

Can I disable TLS on my deployment?

No.

What versions of TLS does Atlas support?

Atlas deployments created after July 2018 support only Transport Layer Security (TLS) protocol versions 1.1 and 1.2 by default. Atlas deployments created before July 2018 support TLS protocol version 1.0, 1.1, and 1.2 by default. After August 2018, Atlas will support only TLS 1.1 and 1.2 by default for all Atlas clusters.

Deprecating TLS 1.0 improves your security of data-in-transit and aligns with industry best practices. This is why MongoDB 4.0 requires TLS 1.1 or later when TLS is enabled. As Atlas requires TLS connections for all Atlas clusters, Atlas clusters running MongoDB 4.0 always use TLS 1.1 or later by default.

You can read more about timing and reasons for the change from the Payment Card Industry (PCI) as well as the National Institute of Standards and Technology (NIST).

If you have questions about TLS support or cannot update your applications to support TLS 1.1 or later by late August 2018, please contact Atlas MongoDB Support.

To open a Atlas support ticket, log into the your Atlas account. Click the Support link in the Atlas console and fill in the requested details.

How do I know if my applications support TLS 1.1 or later?

TLS 1.1 was defined in April 2006. Applications whose underlying programming languages or security libraries predate TLS 1.1 may require updating to a more recent version to support TLS 1.1 or later. You may also need to update the application host operating system to support TLS 1.1 or later.

MongoDB and Atlas do not provide services to audit external applications for which versions of TLS support they support. Third party services such as howsmyssl.com may provide the appropriate tooling. MongoDB does not endorse the aforementioned service, and its reference is intended only as informational. Defer to your organization’s procedures in selecting the appropriate vendor or service for auditing your applications to ensure TLS 1.0 is disabled.

What do I have to do to update my clusters for TLS 1.1 or later?

Atlas updates your existing clusters to limit TLS support to 1.1 or later in late August 2018. The only thing you should consider doing is auditing your applications for support of TLS 1.1 or later and updating any components of your technology stack that do not support TLS 1.1 or later.

Can I force enable TLS 1.0?

Atlas allows users to manually enable TLS 1.0 during cluster creation and cluster modification.

Enabling TLS 1.0 for any Atlas cluster carries significant risks. Consider enabling TLS 1.0 only for as long as required to update your application stack to support TLS 1.1 or later.

Which certificate authority signs MongoDB Atlas cluster TLS certificates?

The MongoDB Atlas TLS certificate changed on 25 February 2020.

MongoDB Atlas moved to Let’s Encrypt as the new Certificate Authority for TLS certificates for all Atlas clusters.

All newly created M10+ Atlas clusters already utilize the new certificates and can be used to test connectivity.

Please review the following scenarios to ensure that you will not experience connectivity issues:

Hard-coded Certificate Authority

If you hard-coded the DigiCert root Certificate Authority as the only trusted Certificate Authority utilized for your application’s connection to Atlas, please ensure that you add the Let’s Encrypt root Certificate Authoritys to your certificate store. Add both of the following root Certificate Authoritys for Let’s Encrypt:

Java Users

Let’s Encrypt isn’t present in the default trust store for Java version 7 prior to the 7u111 update, or Java version 8 prior to the 8u101 update. Use a Java release after 19 July 2016.

Please ensure your Java client software is up-to-date. The latest Java versions are strongly recommended for many improvements beyond these new Certificate Authority requirements for our TLS certificates.

If you have your own trust store, add the Let’s Encrypt certificate to it. To learn more, see Hard-coded Certificate Authority.

Everyone Else

This change shouldn’t impact you if you use a recent programming language and operating system version.

←   Networking Storage  →