Access an Encrypted Snapshot

On this page

  • Considerations
  • Procedure

When you use Encryption at Rest using Customer Key Management, Atlas encrypts the mongod data files in your snapshots. If you want to download and restore a snapshot, the mongod can't read these data files unless it has access to a KMIP server that can provide the appropriate decryption key. You can use the KMIP Proxy Standalone to access the mongod data files. You download the KMIP Proxy Standalone as a binary for your specific operating system.

By default, the KMIP Proxy Standalone uses the credentials stored in the /<dbPath>/cloudProviderCredentials/<keyID>.<cloudProvider>.metadata file. If you rotate keys, these credentials reflect the latest key rotation.

If the KMIP Proxy Standalone binary is unable to decrypt the snapshots using these credentials, the binary shows an error message stating that you must update the metadata files on disk that contain the old credentials. You can update the metadata file with any text editor.

  1. Click Database in the top-left corner of Atlas.
  2. In the Database Deployments view, click the name of the cluster for which you want to download a snapshot.
  3. Click the Backup tab.
  4. Click Download next to the snapshot you want to download.

    Atlas generates a one-time use download link that expires within four hours. Once the download is ready, Atlas emails you a link to download the snapshot. Atlas also displays the download link in the Restores & Downloads tab.


In the Preparing Snapshot Download modal, click Download KMIP Proxy and select the binary for your operating system.


You can also download the KMIP Proxy Standalone from the following locations in the Atlas UI:

  • On the Security Advanced page, in the Encryption at Rest using your Key Management section.
  • In the Backup Restores & Downloads tab of the cluster.
  1. Open a terminal or command prompt window.
  2. Invoke the following command with the specified parameters:

    kmipProxyStandalone -cloudProvider <aws|azure|gcp> -dbpath <dbpath> -kmipPort <kmipPort> -mongodPort <mongodPort>
    Your cloud service provider. Valid values are aws, gcp, or azure.
    Path to the mongod data directory for which you want to create a proxy.
    Port on which to run the KMIP proxy.
    Port on which to run the mongod.

    The KMIP Proxy Standalone generates a KMIP certificate for localhost and writes it to the dbpath.


Invoke the following command with the specified parameters:

mongod --dbpath <dbpath> --port <mongodPort> --enableEncryption --kmipPort <kmipPort> --kmipServerName --kmipServerCAFile <dbpath>/kmipCA.pem --kmipClientCertificateFile <dbpath>/kmipClient.pem
Path to the directory where the mongod stores its data.
Port on which the mongod listens for client connections.
Port on which the KMIP server listens.
Path to the CA File used to validate secure client connection to the KMIP server.
Path to the client certificate used for authenticating MongoDB to the KMIP server.

The mongod acts as a KMIP server bound to and runs on the specified kmipPort.


Access your data files by connecting to the mongod through the mongosh, MongoDB Compass, or through standard utilities such as mongodump or mongorestore.

Give Feedback

On this page

  • Considerations
  • Procedure