Encryption at Rest using Customer Key Management

Atlas encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest.

Atlas Project Owners can configure an additional layer of encryption on their data using their Atlas-compatible customer key management provider with the MongoDB encrypted storage engine.

Configuring Encryption at Rest using your Key Management incurs additional charges for the Atlas project. To learn more, see Advanced Security.

Atlas Project Owners can use one or more of the following customer key management providers when configuring Encryption at Rest for the Atlas project:

After configuring at least one key management provider for the Atlas project, Project Owners can enable customer key management for each Atlas cluster for which they require encryption. The key management provider does not have to match the cluster cloud service provider.

Atlas cannot rotate customer-managed encryption keys. Refer to your key management provider’s documentation for guidance on key rotation. When you set customer key management in a project, Atlas creates a 365-day key rotation alert.

Encrypted Backups

Atlas encrypts all snapshot volumes. This secures your cluster data on disk. Using your cloud provider’s KMS, you can:

  • Encrypt your snapshot storage volumes where you store your backups.
  • Encrypt the data files in your snapshots.
  • Restore any snapshot encrypted using any encryption key your KMS can access.

You cannot enable Continuous Backups on clusters encrypted with keys that you manage. You can specify a base snapshot schedule that backs up every 6 hours.

To learn more about customer key management and cloud provider snapshots, see Cloud Provider Snapshots with Encryption at Rest and Restore a Snapshot of a Cluster with Encryption at Rest.