Audit - Encryption at Rest

Hi,
I have enabled the option of encrypting data at rest under the advanced settings. How do I verify that the data is indeed encrypted at rest or in other words if my services are being audited by a regulatory authority, what is the authoritative proof that data is being encrypted at rest ? Thanks !

How are you encrypting the data? KMS or key file?

We use a KMS and I look for a very specific message in the mongod.log to confirm I have authenticated with the KMS.

Interested to see if there are alternative ways especially as I field a lot of InfoSec questions related to our data infrastructure!

@clivestrong I’m using KMS

MongoDB Atlas leverages encrypted storage volumes by default no matter what.

Separately, MongoDB Atlas offers an optional second level of encryption leveraging the MongoDB encrypted storage engine: this means that the files themselves are written to the filesystem encrypted.

When using this second optional type of encryption, MongoDB Atlas customers “bring their own key” in the form of either AWS KMS, GCP KMS, or Azure Key Vault. In this paradigm, envelope encryption is used to derive keys at the cluster node and database levels, which enables for online key rotation.

To answer the original question, please navigate to https://www.mongodb.com/cloud/trust where you can download and review the MongoDB Atlas Security whitepaper which goes into much more depth on these topics: If you’d like to go deeper and/or need our help in the process of a security review or audit, we can also share, under NDA, our third party compliance attestation reports (SOC-2 Type 2, ISO-270001, PCI-DSS). We also sign BAAs for ePHI workloads.

3 Likes

I did not realise the storage volume was encrypted regardless.

We use the Townsend AKM. I look for an [initandlisten] mesage relating to the KMIP on start up. This is what we use to acknowledge we have retrieved the key for encryprion/decryption.

Clive