Docs Menu

Rotate your Azure Key Identifier

Note
Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 free clusters, M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Cluster), M2, and M5 Limitations.

Important
Serverless Instances are in Preview

Serverless instances are in preview and do not support this feature at this time. To learn more, see Serverless Instance Limitations.

When you use your own cloud provider KMS, Atlas automatically rotates the MongoDB master keys every 90 days. These keys are rotated on a rolling basis and the process does not require the data to be rewritten.

Atlas does not automatically rotate the Key Identifier used for Azure-provided key management.

Atlas automatically creates an encryption key rotation alert to remind you to rotate your Azure Key Identifier every 90 days by default when you enable Encryption at Rest for an Atlas project.

You must create a new key in the Azure Key Vault associated to the Atlas project.

The following procedure documents how to rotate your Atlas project Key Identifier by specifying a new key identifier in Atlas.

1
  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
  3. Click Advanced in the sidebar.
2
3
  1. Click Azure Key Vault if the Azure Key Vault selector is not already active.
  2. Click Encryption Key if the Encryption Key selector is not already active.
  3. Enter the Azure Key Identifier in the Key Identifier field.

    Include the full URL to the new encryption key identifier. For example:

    https://mykeyvault.vault.azure.net/keys/AtlasKMSKey/a241124e3d364e9eb99fbd3e11124b23
    Important

    The encryption key must belong to the Key Vault configured for the project. Click the Key Vault section to view the currently configured Key Vault for the project.

  4. Click Update Credentials.

Atlas displays a banner in the Atlas UI during the Key Identifier rotation process. Do not delete or disable the original Key Identifier until your changes have deployed.

If the cluster uses Cloud Backups, do not delete or disable the original Key Identifier until you validate that no snapshots used that key for encryption.

Atlas resets the encryption key rotation alert alert at the completion of this procedure.

Give Feedback
© 2021 MongoDB, Inc.

About

  • Careers
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2021 MongoDB, Inc.