Navigation

Encryption at Rest via Google Cloud KMS

Feature unavailable in Free and Shared Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas supports using a Service Account Key provided by Google Cloud Platform to configure the encrypted storage engine on M10 or greater replica set clusters.

This procedure covers configuring Encryption at Rest via Google Cloud Platform for an Atlas project. You must configure Encryption at Rest using your Key Management for the Atlas project before enabling it on clusters in that project. For instructions on enabling Encryption at Rest using your Key Management when deploying an Atlas cluster, see Enable Encryption at Rest. For instructions on enabling Encryption at Rest using your Key Management for an existing Atlas cluster, see Enable Encryption at Rest.

To learn more about Encryption at Rest using your Key Management in Atlas, see Encryption at Rest Using Your Key Management.

Prerequisites

You must have access to the following resources before starting this procedure:

  • Your GCP Service Account Key. For more information on creating a service account key, see the GCP documentation.
  • The Key Version Resource ID associated with your service account key. For more information on obtaining a key version resource ID, see the GCP documentation.

The GCP service account with credentials specified in your Service Account Key must have sufficient permissions for the following actions:

  • Get the Service Account Key version

  • Encrypt data with the Service Account Key version

  • Decrypt data with the Service Account Key

    Note

    Decryption is done with the key itself, not the key version.

For more details on GCP service account permissions, see the GCP documentation.

Restrictions

The following restrictions apply to Encryption at Rest using your Key Management on an Atlas cluster:

  • Clusters must use M10 or larger servers.
  • Continuous Backups are not supported. When enabling backup for a cluster using Encryption at Rest using your Key Management, you must use Cloud Provider Snapshots to encrypt your backup snapshots.

Configure Encryption at Rest for an Atlas project

1

Log into Atlas.

2

Select a project from the Context menu.

3

Click Security, then Enterprise Security.

4

Toggle the button next to Encryption at Rest to On.

5

Select Google Cloud KMS.

6

Enter your Service Account Key.

Your Service Account Key should be formatted as a JSON object. It contains the encryption credentials for your GCP service account.

7

Enter the Key Version Resource ID.

Your key version resource ID is the fully-qualified resource name for a CryptoKeyVersion.

9

Click Save.

Atlas automatically creates an encryption key rotation alert once you configure Encryption at Rest using your Key Management for a project. You can reset this alert at any time by rotating your GCP Key Version Resource ID.

Rotate your GCP Key Version Resource ID

For clusters using Atlas Encryption at Rest via Google Cloud KMS, Atlas automatically rotates the MongoDB master keys every 90 days. However, Atlas does not automatically rotate the Key Version Resource ID used for Encryption at Rest using your Key Management. This procedure documents manually rotating your Atlas project Key Identifier by specifying a new Key Version Resource ID in Atlas. This procedure assumes you have already created a new Service Account Key in the GCP account associated with your Atlas project.

1

Log into Atlas.

2

Select a project from the Context menu.

3

Click Security, then Enterprise Security.

4

Click Rotate Keys edit icon .

5

Click Google Cloud KMS.

Skip this step if the Google Cloud KMS tab is already active.

6

Expand Encryption Key Credentials.

Skip this step if the Encryption Key Credentials dialog is already in view.

7

Enter the GCP Key Version Resource ID in the Key Identifier entry.

Enter the fully-qualified resource name for a CryptoKeyVersion.

For example:

projects/my-project-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1

The encryption key must belong to the GCP Service Account Key configured for your Atlas project. Click the Service Account Key section to view the currently configured Service Account Key for the project.

8

Click Update Credentials.

Atlas displays a banner in the Atlas UI during the Key Identifier rotation process.

Warning

Do not delete or disable the original Key Version Resource ID until your changes have deployed.

If the cluster uses Cloud Provider Snapshots, do not delete or disable the original Key Version Resource ID until you ensure that no snapshots used that key for encryption.

Atlas resets the encryption key rotation alert timer at the completion of this procedure.