MongoDB Atlas Encryption - database level or collection level

Priyanka_Singh · October 15, 2020, 7:18am

Hi,

I’ll need some help to understand MongoDB Atlas encryption.
I have an Atlas subscription for M10 cluster, encryption at rest enabled on it using Azure Key Vault and a database is created on the same cluster. My understanding is as the data is encrypted at rest, plain text in database should not be displayed when I access the database from Atlas or Compass (Enterprise). But as my IP is whitelist I am able to read the data as is, and if it’s not, connection to the cluster fails from MongoDB Compass.

Is there a way to prevent users from reading plain text without performing CSFLE? OR
Does MongoDB Atlas provide a feature that doesn’t display plain text to any user role?

If yes, can that be enabled for admin user role as well? OR can custom role setup restrict users from reading plain text?

As per the documentations, disk level encryption ensures that the files at rest are encrypted, is there a way to access those encrypted files on/from Atlas itself?

Also, can we arrange a call with the support team to discuss our queries in detail? If yes, could you please provide the details to contact support team directly and arrange a call, if and when required?

Thank you!

Pavel_Duchovny · October 15, 2020, 3:54pm

Hi @Priyanka_Singh,

The encryption at rest in Atlas encrypt the database files on disk and backups, so if someone would get there hands on this data they will not be able to restore it.

However, the data is decrypted when authenticated and whitelisted clients like compass access the data. This decryption/encryption is by design and for the whole instance.

The recommended features to encrypt client visible data is FLE :

By the way any connection to atlas is TLS encrypted by default.

Quang_Huy · December 15, 2020, 4:44am

Hi @Pavel_Duchovny, I have a question. What is the limitation of FLE (search, filter, regex, …)?

Pavel_Duchovny · December 16, 2020, 6:24am

Hi @Quang_Huy,

I suggest you read the operations manual
https://docs.mongodb.com/drivers/security/client-side-field-level-encryption-guide#e.-perform-encrypted-read-write-operations

One note I found is

You cannot directly query for documents on a randomly encrypted field, however you can use another field to find the document that contains an approximation of the randomly encrypted field data.

Thanks
Pavel