I have a question regarding Atlas Encryption at Rest using Customer Key Management.
As far as I understand it the customer must provide its Key Version Resource ID from its own KMS (GCP/AWS/Azure) and then:
- Atlas uses a customer’s unique Master Key to generate, encrypt, and decrypt its data master key,
- Master data key is then used to encrypt database keys,
- Generates keys for each database,
- Encrypting data with the database keys,
- Encrypting the database keys with the master data key.
is there any other step I missed?
I would be grateful for confirmation that my assumption is correct