Docs Menu

Docs HomeLaunch & Manage MongoDBMongoDB Atlas

Storage Engine and Cloud Backup Encryption

On this page

  • In Atlas, go to the Database Deployments page for your project.
  • Go to the Backup page for your cluster.
  • Click Snapshots.
  • Note the Encryption Key ID.

Atlas encrypts all snapshots using your cloud provider's standard storage encryption method, ensuring the security of cluster data at rest. Your cloud provider manages the encryption keys. For projects and clusters using Encryption at Rest using Customer Key Management, Atlas applies an additional layer of encryption to your snapshots using the Key Management Service (KMS) provider configured for the cluster.

To view the key used to encrypt a snapshot:

  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. If the Database Deployments page is not already displayed, click Database in the sidebar.

  1. Click your cluster's name.

  2. Click the Backup tab.

    If the cluster has no Backup tab, then Atlas backups are disabled for that database deployment and no snapshots are available. You can enable backups when scaling the cluster.


Note the Encryption Key ID for each snapshot in the cluster. Atlas lists the Key Identifier used to encrypt the snapshot. Unencrypted snapshots display Not enabled.


Atlas requires access to the encryption key associated to the snapshot's Encryption Key ID to successfully restore that snapshot.

Before deleting an Encryption Key ID used with Atlas Encryption at Rest using your Key Management, check every backup-enabled cluster in the project for any snapshots still using that Encryption Key ID. Once you delete an encryption key, all snapshots encrypted with that key become inaccessible and unrecoverable.

Atlas automatically deletes backups in accordance to the Backup Scheduling, Retention, and On-Demand Snapshots. Once Atlas deletes all snapshots depending on a given Encryption Key ID, you can delete the key safely.

If disabling a Encryption Key ID, you must re-enable the key before restoring a snapshot encrypted with that key.

For complete documentation on configuring Encryption at Rest using your Key Management for an Atlas project, see Encryption at Rest using Customer Key Management. You can then either deploy a new cluster or enable an existing cluster with Encryption at Rest using your Key Management.

← Configure a Backup Compliance Policy