Atlas Encryption at Rest using Customer Key Management

Arkadiusz_Borucki · August 27, 2022, 8:29am

Hello,

I have a question regarding Atlas Encryption at Rest using Customer Key Management.
As far as I understand it the customer must provide its Key Version Resource ID from its own KMS (GCP/AWS/Azure) and then:

Atlas uses a customer’s unique Master Key to generate, encrypt, and decrypt its data master key,
Master data key is then used to encrypt database keys,
Generates keys for each database,
Encrypting data with the database keys,
Encrypting the database keys with the master data key.

is there any other step I missed?

I would be grateful for confirmation that my assumption is correct

BR
Arek

Andrew_Davidson · August 29, 2022, 4:17pm

Broadly correct: note one great thing about this model is that you can do light weight key rotation without having to re-write all the data

Arkadiusz_Borucki · August 29, 2022, 6:18pm

@Andrew_Davidson
thank you for your answer. Yes, it is true, this is a huge advantage if Atlas can do lightweight key rotation without having to re-write all the data!
I have one more question. Are the customer’s unique Master Key and the Master data key two separate keys ? I mean one is held in the customer cloud provider KMS and the second in Atlas underlying cloud provider KMS ?

best
Arek