Customer Key Management with Azure Key Vault

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas uses your Azure Key Identifier (AKI) from your Azure Key Vault (AKV) to encrypt and decrypt your MongoDB master keys. These MongoDB master keys are used to encrypt cluster database files and cloud providers snapshots.

When you use your own cloud provider KMS, Atlas automatically rotates the MongoDB master keys every 90 days. These keys are rotated on a rolling basis and the process does not require the data to be rewritten.

Atlas encrypts your data at rest using encrypted storage media. Using keys you manage with AKV, Atlas encrypts your data a second time when it writes it to the MongoDB encrypted storage engine. You use your AKI to encrypt the MongoDB master encryption keys.

This page covers configuring customer key management using AKV on your Atlas project.

You must configure customer key management for the Atlas project before enabling it on clusters in that project.


To enable customer-managed keys with Azure Key Vault for a MongoDB project, you must:

  • Have the Tenant ID (or Directory ID) for an Active Directory tenant.

  • Have the Client ID (or Application ID) and a non-expired application Password for an Azure Application associated to the Active Directory tenant.

  • Have the Resource Group name for an Azure Resource Group in which the Azure Application has the Owner role.

  • Have the Subscription ID and Key Vault Name of an Azure Key Vault. Ensure the Key Vault resource group matches the resource group name specified to Resource Group.

    The Key Vault must have the following Access Policies:

    • Key Management Operations
      • GET
      • LIST
    • Cryptographic Operations
      • ENCRYPT
      • DECRYPT
  • Have the Key Identifier for a key in the specified Azure Key Vault.

    Atlas uses these resources when enabling encryption at rest for a cluster in the Atlas project. Consider creating an Azure Application, Resource Group, and Key Vault specifically for use with the Atlas project.

    To learn how to configure the referenced Azure components, see the Azure Documentation.


Enable Customer-Managed Keys for a Project

You must enable customer key management for a project before you can enable it on a cluster in that project.


Toggle the button next to Encryption at Rest using your Key Management to On.


Select Azure Key Vault.


Enter your Account Credentials.

Client ID Enter the Client ID (or Application ID) of the Azure application.
Tenant ID Enter the Tenant ID (or Directory ID) of the Active Directory tenant.
Secret Enter one of the application’s non-expired Passwords.
Azure Environment Select the Azure cloud your Active Directory tenant lives in.

Enter the Key Vault Credentials.

Subscription ID Enter the Subscription ID of the Key Vault.
Resource Group Name Enter the Resource Group of the Key Vault.
Key Vault Name Enter the name of the Key Vault.

Enter the Encryption Key.

Key Identifier

Enter the full URL for the key created in the Key Vault.


The key identifier must be provided in the full Azure general format


Click Save.

Atlas displays a banner in the Atlas console during the encryption process.

Disable Customer-Managed Keys for a Project

You must disable customer key management on each cluster in a project before you can disable the feature for the project.


Do not disable or delete any AKV keys that any cluster in your Atlas project uses before you have disabled customer key management within the Atlas project. If Atlas cannot access an AKV key, any data that key encrypted becomes inaccessible.


Atlas automatically creates an encryption key rotation alert once you configure customer key management for a project.

To reset this alert, Rotate your Azure Key Identifier.