MongoDB Atlas encryption and Azure Key management


I wanted to understand how auto encryption works in enterprise edition.

I have m10 cluster and azure key management on mongo.

  1. How will it automatically encrypt the entire database present on cluster.

  2. Will it require manual interaction for encryption and decryption of particular collection. I assumed it will get automatically encrypted and decrypted.

  3. I have read a document regarding client side field level encryption it means i need to define schema for every entity manually and declare the encryption type.
    And what i want is database level encryption.

  4. I have created a database on m10 cluster and enabled the encryption. Now my spring application can access the database. How can i encrypt the entire database.

  5. Every document says mongodb enterprise edition do the automatic encryption of data.

Thank you in advance.

Hi Aniket,

I assume you’re referring to the Customer Key Management with Azure Key Vault in Atlas. However I want to note that from a baseline perspective Atlas always uses storage level encryption underneath the data files. What we’re talking about here is encryption of the files themselves as they’re written to the backing filesystem.

Re (1) for each node in your cluster, a node-level master key will be created via envelope encryption, derived from your Azure Key Vault key: then a database-level key will be created derived from that node level key for each database in that replica. This all happens transparently to you and allows you to do online key rotation without having to re-write your data.

Re (2) No it’s automatically encrypted at this point and the MongoDB process decrypts it before returning data to a client.

Re (3) If you want to separately add another layer of encryption on top you may want to explore MongoDB’s Client-Side Field Level Encryption for the subset of your schema that has the highest data classification level where you’re willing to trade off some queryability for the fact that the data is never decrypted outside your systems: in this model you can do point queries but not range queries. The MongoDB drivers can be configured to automatically decrypt. You do not need to do this if you’re just trying to control the cluster-level key e.g. in (1) above.

Re (4) If you’ve enabled MongoDB’s Encrypted Storage Engine with Customer Key Management on this cluster then you’re good to go (that would automatically be set if you had configured your Azure Key Vault).

Re (5) Correct you get that automatically in Atlas as long as you’re using your own key management (whether Azure Key Vault, AWS KMS, or GCP KMS)

1 Like