Docs Menu

Manage Your Own Encryption Keys

On this page

  • Prerequisites
  • Procedure
Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 free clusters, M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Cluster), M2, and M5 Limitations.

Atlas encrypts all cluster storage and snapshot volumes, ensuring the security of all cluster data at rest (Encryption at Rest). Atlas Project Owners can configure an additional layer of encryption on their data at rest using the MongoDB Encrypted Storage Engine and their Atlas-compatible Encryption at Rest provider.

Atlas supports the following Encryption at Rest providers:

To start managing your own encryption keys for this cluster, toggle Encryption using your Key Management (M10 and up) to Yes.

Atlas Encryption at Rest using your Key Management is available for M10 or greater replica set clusters. Atlas Encryption at Rest supports encrypting Cloud Backups only. You cannot enable Encryption at Rest on a cluster using Legacy Backups.

Managing your own encryption keys incurs an increase to the hourly run costs of your clusters. For more information on Atlas billing for advanced security features, see Advanced Security.


If Atlas cannot access the Atlas project key management provider or the encryption key used to encrypt a cluster, then that cluster becomes inaccessible and unrecoverable. Exercise extreme caution before modifying, deleting, or disabling an encryption key or key management provider credentials used by Atlas.

Give Feedback
MongoDB logo
© 2021 MongoDB, Inc.


  • Careers
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2021 MongoDB, Inc.