Encrypted Backup Snapshots
On this page
Snapshot encryption depends upon which
version of MongoDB your database is compatible.
This Feature Compatibility Version ranges from the current version
to one version earlier. For MongoDB 4.4, the FCV can be 4.2 or
4.4. You can only create encrypted snapshots from encrypted
clusters.
Ops Manager doesn't encrypt backup snapshots for clusters running MongoDB 4.2 or later because you can create encrypted snapshots only from encrypted clusters.
Note
Ops Manager no longer supports the creation of cluster snapshots from database deployments that use local key encryption. If you encrypt a database deployment with local key encryption, the snapshot fails. To encrypt snapshots, use KMIP-based encryption with your database deployments.
Ops Manager creates snapshots of deployments by copying the bytes on disk from
a host's storage.dbPath to the snapshot store. If you enable
MongoDB Encryption at Rest for the host you are backing up, the bytes
that Ops Manager copies to the snapshot store are already encrypted. Ops Manager
encrypts data at the storage engine layer when you write data to a
host's disk.
Ops Manager components don't interact with the KMIP host when taking snapshots.
Important
The Backup Daemon requires a connection to the KMIP host to process a queryable restore job of an encrypted backup.
Prerequisites
A host running KMIP-compliant key management to generate and store encryption keys.
Important
Clusters must use KMIP servers. These clusters don't support local key management using files.
Important
You must maintain all keys, even rotated keys, in the KMIP host.
Set up KMIP Host Configuration for Ops Manager
Complete the KMIP fields.
Update the following KMIP host fields in the KMIP Server Configuration section:
Type the FQDN for the KMIP host. | |
Type the port on which the KMIP host is listening for
KMIP connections. The default KMIP port is 5696. | |
Type the absolute path for the Certificate Authority file on the Ops Manager
host. This must be the same Certificate Authority file stored on the
KMIP host. |
Configure Your Project to Use KMIP
Note
All deployments in the project use the same KMIP client certificate file to authenticate.
Complete the KMIP fields.
KMIP client certificate path | Type the absolute path for the client certificate file on the Ops Manager host. Ops Manager uses this certificate to authenticate itself to the KMIP server. A single file can hold both the CA and client certificate. |
KMIP client certificate password | Optional Only enter if the certificate specified in
KMIP client certificate path is encrypted. |
Encrypt Your Backup Job
You can create encrypted snapshots only from encrypted clusters. If you enable MongoDB Encryption at Rest for the host you are backing up, the bytes that Ops Manager copies to the snapshot store are already encrypted.