- Security Features and Setup >
- Encryption at Rest using Customer Key Management
Encryption at Rest using Customer Key Management¶
Atlas encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest.
Atlas Project Owners
can configure an
additional layer of encryption on their data using their
Atlas-compatible customer key management provider with the MongoDB
encrypted storage engine.
Configuring Encryption at Rest using your Key Management incurs additional charges for the Atlas project. To learn more, see Advanced Security.
Atlas Project Owners
can
use one or more of the following customer key management providers
when configuring Encryption at Rest for the Atlas project:
- Amazon Web Services Key Management Service
- Azure Key Vault
- Google Cloud Platform Key Management Service
After configuring at least one key management provider for the
Atlas project, Project Owners
can
enable customer key management for each Atlas cluster for which
they require encryption. The key management provider does not have to
match the cluster cloud service provider.
Atlas cannot rotate customer-managed encryption keys. Refer to your key management provider’s documentation for guidance on key rotation. When you set customer key management in a project, Atlas creates a 365-day key rotation alert.
Encrypted Backups¶
Atlas encrypts all snapshot volumes. This secures your cluster data on disk. Using your cloud provider’s KMS, you can:
- Encrypt your snapshot storage volumes where you store your backups.
- Encrypt the data files in your snapshots.
- Restore any snapshot encrypted using any encryption key your KMS can access.
You cannot enable Continuous Backups on clusters encrypted with keys that you manage. You can specify a base snapshot schedule that backs up every 6 hours.
To learn more about customer key management and cloud provider snapshots, see Cloud Provider Snapshots with Encryption at Rest and Restore a Snapshot of a Cluster with Encryption at Rest.