Manage Your Own Encryption Keys¶
On this page
This feature is not available for M0 free clusters, M2, and
M5 clusters. To learn more about which features are unavailable,
see Atlas M0 (Free Cluster), M2, and M5 Limitations.
Atlas encrypts all cluster storage and snapshot volumes,
ensuring the security of all cluster data at rest
(Encryption at Rest). Atlas
Project Owners can configure
an additional layer of encryption on their data at rest using the
MongoDB
Encrypted Storage Engine
and their Atlas-compatible Encryption at Rest provider.
Atlas supports the following Encryption at Rest providers:
Prerequisites¶
- You must configure the Atlas project for Encryption at Rest using your Key Management before enabling the feature for your Atlas clusters. To learn more, see Encryption at Rest using Customer Key Management.
- If you want to switch from one Encryption at Rest provider on your cluster to another, you must first disable Encryption at Rest for your cluster, then re-enable it with your desired Encryption at Rest provider. See Encryption at Rest using Customer Key Management.
Procedure¶
To start managing your own encryption keys for this cluster, toggle Encryption using your Key Management (M10 and up) to Yes.
Atlas Encryption at Rest using your Key Management is available for
M10 or greater replica set clusters. Atlas Encryption
at Rest supports encrypting Cloud Backups only.
You cannot enable Encryption at Rest on a cluster using
Legacy Backups.
Managing your own encryption keys incurs an increase to the hourly run costs of your clusters. For more information on Atlas billing for advanced security features, see Advanced Security.
If Atlas cannot access the Atlas project key management provider or the encryption key used to encrypt a cluster, then that cluster becomes inaccessible and unrecoverable. Exercise extreme caution before modifying, deleting, or disabling an encryption key or key management provider credentials used by Atlas.