Docs Menu
Docs Home
/
MongoDB Atlas
/
Backup, Restore, and Archive
/
Encryption

Restore from a Snapshot Using Encryption at Rest

On this page

  • Restore Considerations
  • General Optimizations
  • Required Access
  • Procedure
  • Troubleshoot Encryption at Rest

Atlas lets you restore data from a snapshot of a cluster using Encryption at Rest using Customer Key Management.

Restore Considerations

In addition to the prerequisites, consider the following requirements and limitations when restoring with Encryption at Rest using Customer Key Management.

  • If the DefaultRWConcern value on the source snapshot differs from the DefaultRWConcern value on the target cluster, Atlas overrides the value on the source snapshot with the value on the target cluster. If there is no value configured for the DefaultRWConcern on the target cluster, Atlas keeps the value of DefaultRWConcern from the snapshot without explicit configuration. This may differ from the default value for that MongoDB version.

  • This feature is only available for M10+ dedicated clusters.

  • Atlas can only restore to a cluster that uses the same encryption provider as the source cluster. Snapshots taken from clusters without Encryption at Rest using Customer Key Management cannot be restored to a cluster with it, or to a Cloud Manager project.

  • When you run an automated restore for an Atlas cluster from a different project with Encryption at Rest, the AWS KMS key values for both clusters can differ but they must be created in the same region.

  • If the target project doesn't have a cluster with Encryption at Rest enabled, you can either deploy a cluster with Encryption at Rest, or enable Encryption at Rest in an existing cluster.

  • Clusters that use AWS KMS encrypt their PIT restore oplog data with the customer's CMK. The current CMK must be valid for the encrypted oplog data to perform a restore from a snapshot.

  • Atlas deletes all existing data on the target cluster prior to the restore. Depending on the type of restore taking place, the target cluster may be unavailable for the duration of the restore.

General Optimizations

To optimize performance and reduce the amount of time it takes to restore, follow these principles where applicable:

  • Select a target cluster that isn't global or multi-cloud.

  • Select a multi-region cluster only if copies of the snapshot you plan to restore exist in every region of that cluster.

  • Select a target cluster that belongs to the same Atlas project and the same cloud provider region as the snapshot.

  • Select a cluster tier with the same storage capacity as the capacity of the original volume used by the source cluster.

  • If the target cluster runs on AWS with configured IOPS, select the configured IOPS to fall within the configured range.

  • Select a cluster that is not configured to use NVMe storage. NVMe storage degrades restore performance.

Required Access

You must have the Project Owner role for the Atlas projects that contain the source and target clusters to restore data from one Atlas cluster to another.

Procedure

To restore from a snapshot using Encryption at Rest:

1

In Atlas, go to the Clusters page for your project.

  1. If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. If it's not already displayed, click Clusters in the sidebar.

    The Clusters page displays.

2

Go to the Backup page for your cluster.

  1. Click your cluster's name.

  2. Click the Backup tab.

    If the cluster has no Backup tab, then Atlas backups are disabled for that cluster and no snapshots are available. You can enable backups when you scale the cluster.

    The Backup page displays.

3

Select the Restore action.

In the Actions column, expand the Actions menu, and click Restore for the snapshot that you want to restore.

4

Select the target Atlas Project.

From the Restore dialog box, select the target Atlas Project to which you want to restore. You can restore to any Atlas project for which the authenticated Atlas user has the Project Owner role.

5

Select the Cluster to restore to.

You can only restore to an Atlas replica set running Encryption at Rest. The target cluster must run the same or greater version of MongoDB as the MongoDB Version of the snapshot.

After the restoration procedure, Atlas triggers a key rotation for MongoDB encryption key. Atlas then encrypts the new MongoDB encryption keys based on the configured Encryption at Rest provider for the target cluster.

6

Restart your application.

Ensure your application uses the new target cluster.

Troubleshoot Encryption at Rest

If Atlas has an issue with the encryption of either the snapshot or the target cluster, it displays one of the following errors:

Error
Result
Can't restore a non-encrypted snapshot to a cluster with Encryption at Rest enabled.
The snapshot can't be restored to Atlas.
Target cluster doesn't have encryption enabled.
You can either deploy a new target cluster with Encryption at Rest, or enable Encryption at Rest on your desired target cluster.
Encryption provider of target cluster doesn't match selected snapshot's encryption provider.

The encryption provider for the snapshot and target cluster don't match. You can either:

  1. Create a new snapshot with the same encryption provider.

  2. Change the encryption provider for the target cluster.

Encryption credentials on snapshot aren't present.
Atlas can't restore a snapshot whose encryption key was deleted.

Back

Access an Encrypted Snapshot

Next

Export Snapshots