Storage Engine and Cloud Backup Encryption
Atlas encrypts the storage engine of all snapshot volumes, ensuring the security of cluster data at rest. For projects and clusters using Encryption at Rest using Customer Key Management, Atlas applies an additional layer of encryption to your snapshot storage volumes using the Key Management Service (KMS) provider configured for the cluster.
To view the key used to encrypt a snapshot:
- Click Databases in the top-left corner of the {atlas-ui+}.
- From the Database Deployments view of the Atlas UI, click the cluster name.
- Click the Backup tab, then click Snapshots.
- Note the Encryption Key ID for each snapshot in the cluster. Atlas lists the Key Identifier used to encrypt the snapshot. Unencrypted snapshots display Not enabled.
Atlas requires access to the encryption key associated to the snapshot's Encryption Key ID to successfully restore that snapshot.
Before deleting an Encryption Key ID used with Atlas Encryption at Rest using your Key Management, check every backup-enabled cluster in the project for any snapshots still using that Encryption Key ID. Once you delete an encryption key, all snapshots encrypted with that key become inaccessible and unrecoverable.
Atlas automatically deletes backups in accordance to the Backup Scheduling, Retention, and On-Demand Backup Snapshots. Once Atlas deletes all snapshots depending on a given Encryption Key ID, you can delete the key safely.
If disabling a Encryption Key ID, you must re-enable the key before restoring a snapshot encrypted with that key.
For complete documentation on configuring Encryption at Rest using your Key Management for an Atlas project, see Encryption at Rest using Customer Key Management. You can then either deploy a new cluster or enable an existing cluster with Encryption at Rest using your Key Management.