FAQ: Security
On this page
How does Atlas encrypt my data?
Atlas uses whole volume (disk) encryption for any data at rest, including your cluster data and backups of that data.
Atlas also requires TLS encryption for client data and intra-cluster network communications.
If your organization requires more specific information regarding Atlas encryption, please contact Atlas MongoDB Support:
In Atlas, go to the Project Support page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Project Support.
The Project Support page displays.
Can I disable TLS on my deployment?
No.
What versions of TLS does Atlas support?
Atlas requires TLS connections for all Atlas clusters. After July 2020, Atlas enabled Transport Layer Security (TLS) protocol version 1.2 by default for all new Atlas clusters regardless of the MongoDB version.
MongoDB 4.0 and later disabled support for TLS 1.0 where TLS 1.1+ is available. You can manually configure TLS 1.1 or 1.0 by editing your cluster configuration.
Important
Beginning July 31st, 2025, Atlas will no longer support TLS 1.0 or 1.1 under any circumstance. Atlas will upgrade all clusters to reject attempts to connect with TLS 1.0 or 1.1.
Prior to this final deprecation, Atlas will upgrade clusters to Amazon Linux 2023 on a rolling basis. Any client connections configured for TLS 1.0 or 1.1 will undergo a service outage during this upgrade. To avoid this, set the minimum TLS version of your clusters to 1.2 at your earliest opportunity.
You can read more about timing and reasons for the change from the Payment Card Industry (PCI) as well as the National Institute of Standards and Technology (NIST).
If you have questions about TLS support or cannot update your applications to support TLS 1.2, please contact Atlas MongoDB Support.
To open a Atlas support ticket:
In Atlas, go to the Project Support page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Project Support.
The Project Support page displays.
How do I know if my applications support TLS 1.2?
Applications whose underlying programming languages or security libraries predate TLS 1.2 may require updating to a more recent version to support TLS 1.2. You may also need to update the application host operating system to support TLS 1.2.
MongoDB and Atlas don't provide services to audit external applications for which versions of TLS support they support. Third party services, such as howsmyssl.com may provide the appropriate tooling. MongoDB doesn't endorse this service, and its reference is only informational. Use your organization's procedures for selecting the vendor or service for auditing your applications.
What do I have to do to update my clusters for TLS 1.2?
Conduct an audit of your applications for support of TLS 1.2.
Udate all components of your technology stack that don't support TLS 1.2.
Modify your cluster configuration to use TLS 1.2.
Can I force enable TLS 1.0?
Atlas allows you to manually configure TLS 1.0 during cluster modification.
Enabling TLS 1.0 for any Atlas cluster carries significant risks. Consider enabling TLS 1.0 only for as long as required to update your application stack to support TLS 1.2.
Important
Beginning July 31st, 2025, Atlas will no longer support TLS 1.0 or 1.1 under any circumstance. Atlas will upgrade all clusters to reject attempts to connect with TLS 1.0 or 1.1.
Prior to this final deprecation, Atlas will upgrade clusters to Amazon Linux 2023 on a rolling basis. Any client connections configured for TLS 1.0 or 1.1 will undergo a service outage during this upgrade. To avoid this, set the minimum TLS version of your clusters to 1.2 at your earliest opportunity.
Which certificate authority signs MongoDB Atlas TLS certificates?
MongoDB Atlas uses Let's Encrypt as the Certificate Authority for TLS certificates for all clusters.
Starting in June of 2025, we are adding Google Trust Services as an additional Certificate Authority for Atlas clusters to improve availability. With this addition, Atlas signs TLS certificates for your clusters with either the GTS Root R1 or GTS Root R2 root Certificate Authority from Google Trust Services, in addition to the ISRG Root X1 root Certificate Authority from Let's Encrypt.
Note
Most application environments already have Let's Encrypt and Google Trust Services in their trusted Certificate Authority list.
To download the Certificate Authority certificates, see the Google Trust Services repository and ISRG Root X1.
How often does an Atlas Cluster rotate TLS certificates?
TLS certificates are valid for 90 days from the day it is issued. Certificates are rotated 42 days before the certificate's expiration date.
Use the following command to check expiration of your TLS certificate of a node:
echo | openssl s_client -showcerts -connect $HOSTNAME:$PORT 2> /dev/null | openssl x509 -noout -enddate
Hard-coded Certificate Authority
We don't recommend hard-coding or pinning intermediate certificates because it introduces an operational burden and availability risk. If Let's Encrypt or Google Trust Services rotates or replaces your pinned intermediate certificate, your application might fail to connect, which results in an outage.
If you must pin a certificate, pin it to Certificate Authority certificates and not to any intermediate certificates.
Java Users
Let's Encrypt's ISRG root certificate and Google Trust Services root certificates are both available in the default trust store of Java version 7 after the 7u391 update and Java version 8 after the 8u381 update. Use a Java release after 18 July 2023.
Ensure your Java client software is up-to-date. Use the latest Java versions to utilize many improvements beyond these new Certificate Authority requirements for our TLS certificates.
If you have your own trust store, add the Let's Encrypt and Google Trust Services certificates to it. To learn more, see Which certificate authority signs MongoDB Atlas TLS certificates?
Windows Server Users
The ISRG Root X1, GTS Root R1 and GTS Root R2 root Certificate Authority aren't included by default in Windows Server, but it is available in the Microsoft Trusted Root Program.
To configure Windows Server to download trusted root certificates, see Windows Documentation.
Amazon Linux AMI Users
Some versions of Amazon Linux AMI may not have both ISRG Root X1 and GTS Root R1 and R2 certificates. Please migrate to a newer version of Amazon Linux for required root certificates. After June 2025, we will require the support of ISRG Root X1, GTS Root R1 and R2 certificates for Atlas to avoid certificate compatibility issues.
If you must use an older Amazon Linux AMI, manually install the ISRG Root X1, GTS Root R1 and R2 root Certificate Authority.
Everyone Else
This change shouldn't impact you if you use a recent programming language and operating system version.