Navigation

Encryption at Rest using Customer Key Management

Atlas encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest.

Atlas Project Owners can configure an additional layer of encryption on their data using their Atlas-compatible customer key management provider with the MongoDB encrypted storage engine.

Configuring Encryption at Rest using your Key Management incurs additional charges for the Atlas project. To learn more, see Advanced Security.

Atlas Project Owners can use one or more of the following customer key management providers when configuring Encryption at Rest for the Atlas project:

After configuring at least one key management provider for the Atlas project, Project Owners can enable customer key management for each Atlas cluster for which they require encryption. The key management provider does not have to match the cluster cloud service provider.

Atlas cannot rotate customer-managed encryption keys. Refer to your key management provider’s documentation for guidance on key rotation. When you set customer key management in a project, Atlas creates a 365-day key rotation alert.

Encryption at Rest using Key Management requires valid key management provider credentials and an encryption key. To provide these details and enable Customer Key Management:

1
  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
  3. Click Advanced in the sidebar.
2
3
4

After you Configure Atlas with Customer Key Management, you must enable customer key management for each Atlas cluster that contains data that you want to encrypt.

Info With Circle IconCreated with Sketch.Note

You must have the Project Owner role to enable customer key management for clusters in that project.

For new clusters, toggle the Manage your own encryption keys setting to Yes when you create the cluster.

For existing clusters:

1
  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
  3. If the Clusters page is not already displayed, click Clusters in the sidebar.
2

For the cluster that contains data that you want to encrypt, click the ellipses ..., then select Edit Configuration.

3
  1. Expand the Additional Settings panel.
  2. Toggle the Manage your own encryption keys setting to Yes.
4
  1. Click Review Changes.
  2. Review your changes, then click Apply Changes to update your cluster.

Atlas validates your KMS configuration:

If your key management provider credentials become invalid or if your encryption key is disabled or deleted, Atlas shuts down all mongod and mongos processes on the next scheduled validity check. Atlas sends an email to the Project Owner listing all affected clusters. The Atlas Clusters page reflects that your clusters are disabled due to invalid Encryption at Rest settings.

You can't read or write data on disabled clusters. You can submit updates to disabled clusters, such as disk and instance size changes, that are processed when your encryption key is restored. Atlas will continue to perform maintenance and apply security patches. Disabled clusters retain all your data, so billing continues.

Info With Circle IconCreated with Sketch.Note
Virtual Machine Power

While a cluster is disabled, Atlas does not stop the Virtual Machine (VM) the cluster is running on. Atlas may perform patches that reboot the server, but VM power is not cycled.

To regain access to your data:

The Try Again button is to the right of the Customer Master Key ID field in Atlas Advanced Security settings

After updating your configuration, click Try Again to validate it. If you don't, Atlas validates on its next scheduled check. All mongod and mongos processes restart after Atlas determines your configuration to be valid.

Warning IconCreated with Sketch.Warning

If your key was deleted, restore that key to regain access to your clusters. You cannot change a key or disable Encryption at Rest using Customer Key Management without a valid key.

To restore a deleted key, see your key management provider's documentation:

Atlas encrypts all snapshot volumes. This secures your cluster data on disk. Using your cloud provider's KMS , you can:

  • Encrypt your snapshot storage volumes where you store your backups.
  • Encrypt the data files in your snapshots.
  • Restore snapshots with the key that was active at the time the snapshot was taken.
  • Encrypt PIT restore oplog data.

You cannot restore snapshots encrypted with keys that have become invalid.

You cannot enable Legacy Backups on clusters encrypted with keys that you manage. You can specify a base snapshot schedule that backs up every 6 hours.

To learn more about customer key management and Cloud Backups, see Encryption at Rest using Customer Key Management and Restore a Snapshot of a Cluster with Encryption at Rest.

Give Feedback