• Security Features and Setup >
• Encryption at Rest using Customer Key Management >
• Customer Key Management with Google Cloud KMS

Customer Key Management with Google Cloud KMS

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas uses your GCP Service Account Key to encrypt and decrypt your MongoDB master keys. These MongoDB master keys are used to encrypt cluster database files and cloud providers snapshots.

When you use your own cloud provider KMS, Atlas automatically rotates the MongoDB master keys every 90 days. These keys are rotated on a rolling basis and the process does not require the data to be rewritten.

Atlas encrypts your data at rest using encrypted storage media. Using keys you manage with GCP KMS, Atlas encrypts your data a second time when it writes it to the MongoDB encrypted storage engine. You use your GCP SAK to encrypt the MongoDB master encryption keys.

This page covers configuring customer key management using AKV on your Atlas project.

You must configure customer key management for the Atlas project before enabling it on clusters in that project.

Prerequisites

To enable customer-managed keys with GCP KMS for a MongoDB project, you must have:

• Your GCP Service Account Key.

• The Key Version Resource ID associated with your Service Account Key.

• A GCP service account with credentials specified in your Service Account Key with sufficient permissions to:

  • Get the Service Account Key version
  • Encrypt data with the Service Account Key version
  • Decrypt data with the Service Account Key

  Note

  The key, not the key version, handles decryption.

See also

See the GCP documentation to learn how to:

• Create a service account key.
• Obtain a key version resource ID.
• Grant roles to service accounts.

• Use an M10 or larger cluster.
• Use Cloud Backups to encrypt your backup snapshots. Legacy Backups are not supported.

Enable Customer-Managed Keys for a Project

You must enable customer key management for a project before you can enable it on a cluster in that project.

1

Navigate to the Advanced page for your project.

1. If it is not already displayed, select the organization that contains your desired project from the office icon Organizations menu in the navigation bar.
2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
3. Click Advanced in the sidebar.

2

Toggle the button next to Encryption at Rest using your Key Management to On.

3

Select Google Cloud KMS.

4

Enter your Service Account Key.

Your Service Account Key should be formatted as a JSON object. It contains the encryption credentials for your GCP service account.

5

Enter the Key Version Resource ID.

Your key version resource ID is the fully-qualified resource name for a CryptoKeyVersion.

6

Click Save.

Alerts

Atlas automatically creates an encryption key rotation alert once you configure customer key management for a project. You can reset this alert at any time by rotating your GCP Key Version Resource ID.

Related Topics

• To enable Encryption at Rest using your Key Management when deploying an Atlas cluster, see Manage Your Own Encryption Keys.
• To enable Encryption at Rest using your Key Management for an existing Atlas cluster, see Enable Encryption at Rest.
• To learn more about Encryption at Rest using your Key Management in Atlas, see Encryption at Rest using Customer Key Management.

• Rotate your GCP Key Version Resource ID

←   Rotate your Azure Key Identifier Rotate your GCP Key Version Resource ID  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.