Choosing a KMS for at-rest encryption

Hi, My client is wanting to encrypt their Enterprise deployment. They say they need FIPS level 3 encryption. I’m looking for a suitable Key Management Service vendor. Any suggestions?


Hi @Guy_Harrison,

At the moment, MongoDB drivers support these KMS providers:

So I guess it’s all about which cloud provider your client is using.



Thanks Maxime,

Those are KMS systems for client-side encryption. My client is looking for a solution for server-side encryption. The server side encryption solution has to support the KMIP protocol Unfortunately, that means that solutions for client-side encryption mostly don’t work. @wan I saw your name on an encryption thread on stack overflow, do you have a KMS solution you like to work with for server-side? My client is saying they want FIPS-140-3 but I think they are going to have trouble meeting that requirement.


Oops. Indeed, I read too fast :smiley: !
My bad.

For server-side encryption (at rest), looks like it’s this way in the doc.

We have a list of partners that could be a start to find the golden egg. I can’t do much more here I’m afraid.

Hopefully someone else has more details. :nerd_face:

Hi @Guy_Harrison,

That’s probably a post from while ago. Nowadays with MongoDB Atlas it’s really easy to set up Encryption At Rest with KMS with integration to AWS, Azure, and GCP.

For Enterprise deployments outside of MongoDB Atlas, back in the day there was Gemalto. Which was acquired a couple of years back by Thales (a MongoDB’s partner). Another one was Townsend (a MongoDB’s partner as well).

I understand that the landscape of KMS may have changed since. It may be worth getting a security consultant with a current knowledge of the landscape to look into the use case closely.

Hope that helps.