Encryption at Rest using your Key Management

Hello There,

Can anyone answer any or all of the following concerns:

  1. When to use Encryption at Rest using your Key Management over the default encryption provided by atlas?
  2. Does this give any additional level of security that default encryption by atlas doesn’t provide?

I have tried looking through MongoDB docs but didn’t find a suitable answer to it, I can find how to set it up but not why would one want to set it up?

Note: The only reason I found is that use your Key Management when you need to have control over the keys used to encrypt your data.

Please answer any thoughts you have on this. It will be highly appreciated.

1 Like

Hi @Anurag_59083,

Have you had a look at the Encryption at Rest using Customer Key Management documentation?

  1. When to use Encryption at Rest using your Key Management over the default encryption provided by atlas?

To answer your first question, since this is an additional layer of encryption, it won’t override the default encryption at rest for the cluster’s storage and snapshot volumes. Encryption at rest using the Customer Key Management is optional and will enable database-level encryption for sensitive workloads via the WiredTiger Encrypted StorageEngine. This option allows customers to use their own AWS KMS, Azure Key Vault, or Google Cloud KMS keys to control the keys used for encryption at rest.

There is a security white paper available here which describes this further.

  1. Does this give any additional level of security that default encryption by atlas doesn’t provide?

To answer your second question, you may wish to refer to this statement from the docs, most notably that it is an additional layer of encryption:

Atlas Project Owners can configure an additional layer of encryption on their data using their Atlas-compatible customer key management provider with the MongoDB encrypted storage engine.

As to “why would anyone do this?”, the answer may depend on your security policy. Atlas is secure by default (in transport and at rest), but individual security policies may vary. This option is available to cater for individuals or organizations requiring this additional protection by having your own keys in addition to what Atlas has provided by default.

Also, as noted on the Encryption at Rest using Customer Key Management documentation, configuring Encryption at Rest using your Key Management incurs additional charges for the Atlas project.

Hope this helps.

Kind Regards,
Jason

5 Likes

That is one great explanation. Thanks a lot for your response.

2 Likes

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.