MongoDB Atlas - Encryption at Rest

I was hoping to get some clarification. We are using an M2 cluster of MongoDb Atlas. I’ve read this link which states Atlas encrypts all cluster storage and snapshot volumes, ensuring the security of all cluster data at rest.

My understanding if we want to encrypt the data with our key then would need to upgrade to M10.

On the assumption our M2 cluster is encrypted I asked MongoDb chat support on what encryption type is used (eg 256 encryption). I was surprisingly given the response that the M2 cluster was not encrypted (See snapshot below).

Is this correct? It seems what they have stated is a contradiction? Am I able to get clarification that our M2 cluster is encrypted at REST? In addition what encryption type is used? And finally as a newb what is the key difference between encrypting the whole disk vs us providing our key? Many thanks in advance.

Welcome to the community @Ka_Tech!

MongoDB Atlas always uses cloud provider storage encryption by default. This is volume-level encryption at rest (for example, EBS Encryption on AWS). In free/shared tier clusters (M0, M2, M5) the underlying MongoDB instances are shared so you cannot configure encryption options. The industry standard for cloud provider encryption is AES-256, but you can confirm the exact details referring to AWS, GCP, or Azure documentation as appropriate.

If you have a dedicated cluster (M10+), you can enable and configure the Enterprise Encryption at Rest feature which is cluster-specific encryption for additional security including user-managed encryption keys. With this feature enabled, your data files will be encrypted using the Encrypted Storage Engine (which is in addition to the underlying cloud provider storage encryption).

For example, if you are using Encryption at Rest with AWS KMS:

Atlas encrypts your data at rest using encrypted storage media. Using keys you manage with AWS KMS, Atlas encrypts your data a second time when it writes it to the MongoDB encrypted storage engine. You use your AWS Customer Master Key (CMK) to encrypt the MongoDB master encryption keys. Oplog data is also encrypted with your CMK.

For more information, please refer to How does MongoDB Atlas secure my data? in the Atlas FAQ. The MongoDB Atlas Security white paper also goes into further detail.

Regards,
Stennie

1 Like

Hi Stennie, thanks so much for your reply. Now I understand the difference why M10 only supports custom keys given M0, M2, M5 are on shared tier clusters.

Don’t know why the MongoDb rep stated it wasn’t encrypted but your response with the supported links alleviates my concerns. Thanks again!

1 Like