On this page
Atlas lets you restore data from a snapshot of a cluster using Encryption at Rest using Customer Key Management.
In addition to the prerequisites, consider the following requirements and limitations when restoring with Encryption at Rest using Customer Key Management.
DefaultRWConcernvalue on the source snapshot differs from the
DefaultRWConcernvalue on the target database deployment, Atlas overrides the value on the source snapshot with the value on the target database deployment. If there is no value configured for the
DefaultRWConcernon the target database deployment, Atlas keeps the value of
DefaultRWConcernfrom the snapshot without explicit configuration. This may differ from the default value for that MongoDB version.
This feature is only available for
Atlas can only restore to a cluster that uses the same encryption provider as the source cluster. Snapshots taken from clusters without Encryption at Rest using Customer Key Management cannot be restored to a cluster with it, or to a Cloud Manager project.
When you run an automated restore for an Atlas cluster from a different project with Encryption at Rest, the AWS KMS key value for both clusters must be the same.
To optimize performance and reduce the amount of time it takes to restore, follow these principles where applicable:
Select a target cluster that isn't global or multi-cloud.
Select a multi-region cluster only if copies of the snapshot you plan to restore exist in every region of that cluster.
Select a target cluster that belongs to the same Atlas project and the same cloud provider region as the snapshot.
Select a cluster tier with the same storage capacity as the capacity of the original volume used by the source cluster.
If the target cluster runs on AWS with configured IOPS, select the configured IOPS to fall within the configured range.
Select a cluster that is not configured to use NVMe storage. NVMe storage degrades restore performance.
You must have the
Project Owner role for the Atlas
projects that contain the source and target database deployments
to restore data from one Atlas database deployment to
Atlas deletes all existing data on the target database deployment prior to the restore. Depending on the type of restore taking place, the target cluster may be unavailable for the duration of the restore.
Click Database in the top-left corner of Atlas.
From the Database Deployments view, click on the cluster name.
Click the Backup tab.
If the cluster has no Backup tab, then Atlas backups are disabled for that cluster and no snapshots are available. You can enable backups when modifying the cluster.
In the Actions column, expand the Actions menu, and click Restore for the snapshot that you want to restore.
From the Restore dialog, select the target Atlas Project to which you want to restore. You can restore to any Atlas project for which the authenticated Atlas user has the
Select the Cluster to restore to. You can only restore to an Atlas replica set running Encryption at Rest. The target cluster must run the same or greater version of MongoDB as the MongoDB Version of the snapshot.
After the restoration procedure, Atlas triggers a key rotation for MongoDB encryption key. Atlas then encrypts the new MongoDB encryption keys based on the configured Encryption at Rest provider for the target cluster.
Restart your application and ensure it uses the new target cluster.
If Atlas has an issue with the encryption of either the snapshot or the target cluster, it displays one of the following errors:
Cannot restore a non-encrypted snapshot to a cluster with Encryption at Rest enabled.
The snapshot cannot be restored to Atlas.
Target cluster does not have encryption enabled.
Encryption provider of target cluster does not match selected snapshot's encryption provider.
The encryption provider for the snapshot and target cluster do not match. You can either:
Encryption credentials on snapshot are not present.
Atlas cannot restore a snapshot whose encryption key was deleted.