• Security Features and Setup >
• Encryption at Rest Using Your Key Management

Encryption at Rest Using Your Key Management

AWS and Azure Clusters Only

This feature is only available for Atlas M10 or greater replica set clusters deployed on AWS or Azure. Support for sharded clusters and clusters deployed on Google Cloud Project (GCP) are in development.

Atlas encrypts all cluster storage and snapshot volumes, ensuring the security of all cluster data at rest (Encryption at Rest). Atlas Project Owners can configure an additional layer of encryption on their data at rest using the MongoDB Encrypted Storage Engine and their Atlas-compatible Encryption at Rest provider.

Configuring Encryption at Rest using your Key Management incurs additional charges for the Atlas project. To learn more, see Advanced Security.

Atlas Project Owners can use one or more of the the following Encryption at Rest providers when configuring Encryption at Rest for the Atlas project:

• Amazon Web Services Key Management Service
• Azure Key Vault

After configuring at least one Encryption at Rest provider for the Atlas project, Project Owners can enable Encryption at Rest for each Atlas cluster for which they require encryption. The Encryption at Rest provider does not have to match the cluster cloud service provider.

Atlas does not automatically rotate user-managed encryption keys. Defer to your preferred Encryption at Rest provider’s documentation and guidance for best practices on key rotation. Atlas automatically creates a 365-day key rotation alert when you configure Encryption at Rest using your Key Management in an Atlas project.

Encrypted Backups

Atlas encrypts all snapshot volumes, ensuring the security of cluster data at rest (Encryption at Rest). For projects and clusters using Encryption at Rest Using Your Key Management, Atlas applies an additional layer of encryption to your snapshot storage volumes using the Encryption at Rest provider configured for the cluster.

For each cluster with encryption at rest and cloud provider snapshots enabled, Atlas uses the project encryption key at the time of the snapshot to encrypt the snapshot data files.

Atlas can only restore an encrypted snapshot if the project encryption key used to encrypt the snapshot is enabled and accessible through the configured KMS service for the Atlas project.

Atlas does not support enabling Continuous Backups for clusters using encryption at rest.

To learn more about encrypted cloud provider snapshots, see Cloud Provider Snapshots with Encryption at Rest and Restore a Snapshot of a Cluster with Encryption at Rest.

• Encryption at Rest via AWS KMS
  • Rotate your customer master key
• Encryption at Rest via Azure Key Vault

←   Set up User Authentication and Authorization with LDAP Encryption at Rest via AWS KMS  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.