Storage Engine and Cloud Backup Encryption
On this page
Atlas encrypts all snapshots using your cloud provider's standard storage encryption method, ensuring the security of cluster data at rest. Your cloud provider manages the encryption keys.
If you use Encryption at Rest using Customer Key Management for your projects and clusters, Atlas applies an additional layer of encryption to your snapshots using the Key Management Service (KMS) provider.
View Key Used to Encrypt a Snapshot
For projects and clusters using Encryption at Rest using Customer Key Management, Atlas uses the Key Management Service (KMS) provider.
For clusters using AWS IAM as their Key Management Service, Atlas uses the project's customer master key (CMK) and AWS IAM user or role credentials at the time of the snapshot to automatically encrypt the snapshot data files. This is an additional layer of encryption on the existing encryption applied to all Atlas storage and snapshot volumes. Oplog data collected for PIT restores is also encrypted with the customer's CMK.
Atlas stores the unique ID of the CMK and the AWS IAM user credentials or roles used to access the CMK. Atlas uses this information when restoring the snapshot. You can access an encrypted snapshot and restore a snapshot using Encryption at Rest.
For clusters using Azure Key Vault as their Key Management Service, Atlas uses the project's Key Identifier, Key Vault Credentials, and Active Directory application account credentials at the time of the snapshot to automatically encrypt the snapshot data files. This is an additional layer of encryption on the existing encryption applied to all Atlas storage and snapshot volumes. Oplog data collected for PIT restores is also encrypted with the customer's CMK.
Atlas stores the unique ID of the Azure Key Identifier used the encrypt the snapshot. Atlas also stores the Azure Key Vault credentials and the Active Domain application account credentials used to access the Key Identifier. Atlas uses this information when restoring the snapshot. You can access an encrypted snapshot and restore a snapshot using Encryption at Rest.
Atlas uses your Google Cloud Service Account Key to encrypt and decrypt your MongoDB master keys. These MongoDB master keys are used to encrypt cluster database files and cloud providers snapshots. Oplog data collected for PIT restores is also encrypted with the customer's CMK. You can access an encrypted snapshot and restore a snapshot using Encryption at Rest.
Procedure
To view the key used to encrypt a snapshot:
In Atlas, go to the Clusters page for your project.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If it's not already displayed, click Clusters in the sidebar.
The Clusters page displays.
Go to the Backup page for your cluster.
Click your cluster's name.
Click the Backup tab.
If the cluster has no Backup tab, then Atlas backups are disabled for that cluster and no snapshots are available. You can enable backups when you scale the cluster.
The Backup page displays.
Important
Atlas requires access to the encryption key associated to the snapshot's Encryption Key ID to successfully restore that snapshot.
Before deleting an Encryption Key ID used with Atlas Encryption at Rest using your Key Management, check every backup-enabled cluster in the project for any snapshots still using that Encryption Key ID. Once you delete an encryption key, all snapshots encrypted with that key become inaccessible and unrecoverable.
Atlas automatically deletes backups in accordance to the Backup Scheduling, Retention, and On-Demand Snapshots. Once Atlas deletes all snapshots depending on a given Encryption Key ID, you can delete the key safely.
If disabling a Encryption Key ID, you must re-enable the key before restoring a snapshot encrypted with that key.
For complete documentation on configuring Encryption at Rest using your Key Management for an Atlas project, see Encryption at Rest using KMS. You can then either deploy a new cluster or enable an existing cluster with Encryption at Rest using your Key Management.