MongoDB Atlas Encryption - database level or collection level

Hi,

I’ll need some help to understand MongoDB Atlas encryption.
I have an Atlas subscription for M10 cluster, encryption at rest enabled on it using Azure Key Vault and a database is created on the same cluster. My understanding is as the data is encrypted at rest, plain text in database should not be displayed when I access the database from Atlas or Compass (Enterprise). But as my IP is whitelist I am able to read the data as is, and if it’s not, connection to the cluster fails from MongoDB Compass.

Is there a way to prevent users from reading plain text without performing CSFLE? OR
Does MongoDB Atlas provide a feature that doesn’t display plain text to any user role?

If yes, can that be enabled for admin user role as well? OR can custom role setup restrict users from reading plain text?

As per the documentations, disk level encryption ensures that the files at rest are encrypted, is there a way to access those encrypted files on/from Atlas itself?

Also, can we arrange a call with the support team to discuss our queries in detail? If yes, could you please provide the details to contact support team directly and arrange a call, if and when required?

Thank you!

Hi @Priyanka_Singh,

The encryption at rest in Atlas encrypt the database files on disk and backups, so if someone would get there hands on this data they will not be able to restore it.

However, the data is decrypted when authenticated and whitelisted clients like compass access the data. This decryption/encryption is by design and for the whole instance.

The recommended features to encrypt client visible data is FLE :
https://docs.mongodb.com/drivers/use-cases/client-side-field-level-encryption-guide

By the way any connection to atlas is TLS encrypted by default.

1 Like