Have you had a look at the Encryption at Rest using Customer Key Management documentation?
- When to use Encryption at Rest using your Key Management over the default encryption provided by atlas?
To answer your first question, since this is an additional layer of encryption, it won’t override the default encryption at rest for the cluster’s storage and snapshot volumes. Encryption at rest using the Customer Key Management is optional and will enable database-level encryption for sensitive workloads via the WiredTiger Encrypted StorageEngine. This option allows customers to use their own AWS KMS, Azure Key Vault, or Google Cloud KMS keys to control the keys used for encryption at rest.
There is a security white paper available here which describes this further.
- Does this give any additional level of security that default encryption by atlas doesn’t provide?
To answer your second question, you may wish to refer to this statement from the docs, most notably that it is an additional layer of encryption:
Project Owners can configure an additional layer of encryption on their data using their Atlas-compatible customer key management provider with the MongoDB encrypted storage engine.
As to “why would anyone do this?”, the answer may depend on your security policy. Atlas is secure by default (in transport and at rest), but individual security policies may vary. This option is available to cater for individuals or organizations requiring this additional protection by having your own keys in addition to what Atlas has provided by default.
Also, as noted on the Encryption at Rest using Customer Key Management documentation, configuring Encryption at Rest using your Key Management incurs additional charges for the Atlas project.
Hope this helps.