Navigation

Encryption at Rest via Azure Key Vault

Note

This feature is not available for M0 (Free Tier), M2, and M5 clusters. For more information, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas supports using a Key Identifier provided by Azure Key Vault to configure the encrypted storage engine on M10 or greater replica set clusters.

This procedure covers configuring Encryption at Rest via Azure Key Vault for an Atlas project. You must configure Encryption at Rest using your Key Management for the Atlas project before enabling it on clusters in that project. For instructions on enabling Encryption at Rest using your Key Management when deploying an Atlas cluster, see Enable Encryption at Rest. For instructions on enabling Encryption at Rest using your Key Management for an existing Atlas cluster, see Enable Encryption at Rest.

To learn more about Encryption at Rest using your Key Management in Atlas, see Encryption at Rest Using Your Key Management.

Important

To disable Encryption at Rest using your Key Management in an Atlas project, you must disable it for every cluster in the project before removing all configuration details in the project. Do not disable or delete any Azure Key Vault keys used by any cluster in your Atlas project before you have completely disabled Encryption at Rest within the Atlas project. If Atlas cannot access an Azure Key Vault key, any data encrypted by that key becomes inaccessible.

Prerequisites

You must have access to the following resources before starting this procedure:

  • The Tenant ID (or Directory ID) for an Active Directory tenant.

  • The Client ID (or Application ID) and a non-expired application Password for an Azure Application associated to the Active Directory tenant.

  • The Resource Group name for an Azure Resource Group in which the Azure Application has the Owner role.

  • The Subscription ID and Key Vault Name of an Azure Key Vault. Ensure the Key Vault resource group matches the resource group name specified to Resource Group.

    The Key Vault must have the following Access Policies:

    • Key Management Operations
      • GET
      • LIST
    • Cryptographic Operations
      • ENCRYPT
      • DECRYPT
  • The Key Identifier for a key in the specified Azure Key Vault.

Atlas uses these resources when enabling encryption at rest for a cluster in the Atlas project. Consider creating an Azure Application, Resource Group, and Key Vault specifically for use with the Atlas project.

For complete documentation on configuring the referenced Azure components, see the Azure Documentation.

Restrictions

The following restrictions apply to Encryption at Rest using your Key Management on an Atlas cluster:

  • Clusters must use M10 or larger instances.
  • For clusters that require backups, you must select Cloud Provider Snapshots when deploying or modifying the cluster. Atlas does not support encrypting Continuous Backups.
  • You cannot enable Encryption at Rest using your Key Management for clusters running on Google Cloud Project (GCP). Support for Encryption at Rest using your Key Management for GCP clusters is in development.

Note

Administrators who deploy clusters on GCP and want to enable backup should keep those clusters in a separate project from deployments that use Encryption at Rest using your Key Management or Cloud Provider Snapshots.

Configure Encryption at Rest for an Atlas project

1

Log into Atlas.

2

Select a project from the Context menu.

3

Click Security, then Enterprise Security.

4

Toggle the button next to Encryption at Rest to On.

5

Select Azure Key Vault.

6

Enter your Account Credentials.

For Client ID, enter the Client ID (or Application ID) of the Azure application.

For Tenant ID, enter the Tenant ID (or Directory ID) of the Active Directory tenant.

For Secret, enter one of the application’s non-expired Passwords.

For Azure Environment, select the Azure cloud your Active Directory tenant lives in.

7

Enter the Key Vault Credentials.

For Subscription ID, enter the Subscription ID of the Key Vault.

For Resource Group Name, enter the Resource Group of the Key Vault.

For Key Vault Name, enter the name of the Key Vault.

8

Enter the Encryption Key.

For Key Identifier, enter the full URL for the key created in the Key Vault.

9

Click Save.

Atlas displays a banner in the Atlas UI during the encryption process.

Atlas automatically creates an encryption key rotation alert once you configure Encryption at Rest using your Key Management for a project. You can reset this alert at any time by rotating your Azure Key Identifier.

Rotate your Azure Key Identifier

For clusters using Atlas Encryption at Rest via Azure Key Vault, Atlas automatically rotates the MongoDB master keys every 90 days. However, Atlas does not automatically rotate the Key Identifier used for Encryption at Rest using your Key Management. This procedure documents manually rotating your Atlas project Key Identifier by specifying a new key identifier in Atlas. This procedure assumes you have already created a new key in the Azure Key Vault associated to the Atlas project.

1

Log into Atlas.

2

Select a project from the Context menu.

3

Click Security, then Enterprise Security.

4

Click Rotate Keys edit icon .

5

Click Azure Key Vault.

Skip this step if the Azure Key Vault selector is already active.

6

Expand Encryption Key.

Skip this step if the Encryption Key dialog is already in view

7

Enter the Azure Key Identifier in the Key Identifier entry.

Include the full URL to the new encryption key identifier. For example:

https://mykeyvault.vault.azure.net/keys/AtlasKMSKey/a241124e3d364e9eb99fbd3e11124b23

The encryption key must belong to the Key Vault configured for the project. Click the Key Vault section to view the currently configured Key Vault for the project.

8

Click Update Credentials.

Atlas displays a banner in the Atlas UI during the Key Identifier rotation process. Do not delete or disable the original Key Identifier until your changes have deployed.

If the cluster uses Cloud Provider Snapshots, do not delete or disable the original Key Identifier until you validate that no snapshots used that key for encryption.

Atlas resets the encryption key rotation alert timer at the completion of this procedure.