Atlas encrypts all cluster storage and snapshot volumes at rest by default. You can add another layer of security by using your cloud provider's KMS together with the MongoDB encrypted storage engine.
You can use one or more of the following customer KMS providers for encryption at rest in Atlas:
Note
The key management provider doesn't need to match the cluster cloud service provider.
To learn more about using your KMS with Atlas, see:
To manage your KMS encryption with Atlas Kubernetes Operator, you can
specify and update the spec.encryptionAtRest parameter for
the AtlasProject Custom Resource. Each time you change the
spec field in any of the supported custom resources, Atlas Kubernetes Operator
creates or updates the
corresponding Atlas configuration.
Prerequisites
To configure encryption at rest using AWS KMS in Atlas Kubernetes Operator, you require:
A running Kubernetes cluster with Atlas Kubernetes Operator deployed.
The
Project OwnerorOrganization Ownerrole in Atlas.Valid key management credentials and an encryption key for AWS KMS. To learn more, see Prerequisites to Enable Customer-Managed Keys with AWS.
An assumed IAM role for your Atlas account. To set up an assumed IAM role with the Atlas Kubernetes Operator, see Set Up Unified Cloud Provider Integrations. To learn more about role-based access for an AWS encryption key, see Manage Customer Keys with AWS KMS.
Important
If you switch your encryption keys to role-based access, you can't undo the role-based access configuration and revert to credentials-based access for encryption keys on that project.
To configure encryption at rest using Azure Key Vault in Atlas Kubernetes Operator, you require:
A running Kubernetes cluster with Atlas Kubernetes Operator deployed.
The
Project OwnerorOrganization Ownerrole in Atlas.Valid key management credentials and an encryption key for Azure Key Vault. To learn more, see Prerequisites to Enable Customer-Managed Keys with Azure.
To configure encryption at rest using a Google Cloud KMS in Atlas Kubernetes Operator, you require:
A running Kubernetes cluster with Atlas Kubernetes Operator deployed.
The
Project OwnerorOrganization Ownerrole in Atlas.Valid key management credentials and an encryption key for Google Cloud KMS. To learn more, see Prerequisites to Enable Customer-Managed Keys with Google Cloud.
Procedure
Encypt your Atlas data using a customer-managed key with the following procedure:
Create a secret with your AWS credentials.
Create a secret with the values for the following parameters:
Parameter | Description |
|---|---|
| Unique alphanumeric string that identifies the AWS customer master key that you use to encrypt and decrypt the MongoDB master keys. |
| Unique AWS ARN that identifies the AWS IAM role with permission to manage your AWS customer master key. To find this value:
AWS displays the ARN in the Summary section. |
To create and label a secret, run the following commands with your AWS credentials:
kubectl create secret generic aws-ear-creds \ --from-literal="CustomerMasterKeyID=<customer-master-key>" \ --from-literal="RoleId=<aws-arn>" \ -n mongodb-atlas-system
kubectl label secret aws-ear-creds atlas.mongodb.com/type=credentials -n mongodb-atlas-system
Specify the spec.encryptionAtRest.awsKms parameter.
Add the
spec.encryptionAtRest.awsKmsobject to thespec.encryptionAtRestarray in theAtlasProjectCustom Resource, including the following parameters:ParameterDescriptionspec.encryptionAtRest.awsKms.enabledFlag that indicates whether this project uses AWS KMS to encrypt data at rest. To enable encryption at rest using AWS KMS, set this parameter to
true. To disable encryption at rest using AWS KMS, set this parameter tofalse. If you disable encryption at rest using AWS KMS, Atlas Kubernetes Operator removes the configuration details.spec.encryptionAtRest.awsKms.regionLabel that indicates the AWS region where the customer master key exists.
spec.encryptionAtRest.awsKms.secretRef.nameName of the secret that contains your AWS credentials.
spec.encryptionAtRest.awsKms.secretRef.namespaceNamespace that contains your AWS credentials. If unspecified, this parameter defaults to the namespace of the
AtlasProjectcustom resource.You must use a secret that contains the values for
AccessKeyID,SecretAccessKey,CustomerMasterKeyID, andRoleId.Run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project encryptionAtRest: awsKms: enabled: true region: US_EAST_1 secretRef: name: aws-ear-creds namespace: mongodb-atlas-system EOF
Check for successful enablement of encryption at rest on your project.
Run the following command to check whether Atlas Kubernetes Operator detects the AWS KMS configuration for your project.
kubectl get atlasprojects my-project -o=jsonpath='{.status.conditions[?(@.type=="EncryptionAtRestReadyType")].status}
true
Enable encryption at rest using customer-managed keys for your cluster.
After you enable encryption at rest using customer-managed keys for your project, you must enable it at the cluster level to encrypt data.
Run the following command to add the
spec.deploymentSpec.encryptionAtRestProvider to your
AtlasDeployment Custom Resource, which enables encryption at rest using your AWS key for this
cluster:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasDeployment metadata: name: my-cluster spec: name: Test Atlas Operator Cluster DeploymentSpec: encryptionAtRestProvider: "AWS" EOF
Create a secret with your Azure credentials.
Create a secret with the values for the following parameters:
Parameter | Description |
|---|---|
| Web address with a unique key that identifies your Azure Key Vault. |
| Unique string that identifies the Azure Key Vault that contains your key. |
| Private data associated with the Azure Key Vault
tenant you specify in
|
| Unique 36-hexadecimal character string that identifies your Azure subscription. Azure displays the subscription ID on the subscription's details page. |
To create and label a secret, run the following commands with your Azure credentials:
kubectl create secret generic azure-ear-creds \ --from-literal="KeyIdentifier=<web-address>" \ --from-literal="KeyVaultName=<key-vault>" \ --from-literal="Secret=<secret>" \ --from-literal="SubscriptionID=<subscription>" \ -n mongodb-atlas-system
kubectl label secret azure-ear-creds atlas.mongodb.com/type=credentials -n mongodb-atlas-system
Specify the spec.encryptionAtRest.azureKeyVault parameter.
Add the
spec.encryptionAtRest.azureKeyVaultobject to thespec.encryptionAtRestarray in theAtlasProjectCustom Resource, including the following parameters:ParameterDescriptionspec.encryptionAtRest.azureKeyVault.azureEnvironmentAzure deployment location where the Azure account credentials reside. Valid values include
AZURE,AZURE_CHINA, andAZURE_GERMANY.spec.encryptionAtRest.azureKeyVault.clientIDUnique 36-hexadecimal character string that identifies your Azure application.
spec.encryptionAtRest.azureKeyVault.enabledFlag that indicates whether this project uses Azure Key Vault to encrypt data at rest. To enable encryption at rest using Azure Key Vault, set this parameter to
true. To disable encryption at rest using Azure Key Vault, set this parameter tofalse. If you disable encryption at rest using Azure key vault, Atlas Kubernetes Operator removes the configuration details.spec.encryptionAtRest.azureKeyVault.resourceGroupNameLabel that identifies the Azure resource group that contains your Azure Key Vault. Azure displays the resource group name on the resource group's details page.
spec.encryptionAtRest.azureKeyVault.secretRef.nameName of the secret that contains your Azure credentials.
spec.encryptionAtRest.azureKeyVault.secretRef.namespaceNamespace that contains your Azure credentials. If unspecified, this parameter defaults to the namespace of the
AtlasProjectcustom resource.spec.encryptionAtRest.azureKeyVault.tenantIDUnique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription. Azure displays the tenant ID on the tenant properties page.
You must use a secret that contains the values for
KeyVaultName,KeyIdentifier,Secret, andSubscriptionID.Run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project encryptionAtRest: azureKeyVault: azureEnvironment: AZURE clientID: "12345678-90ab-cdef-1234-567890abcdef" enabled: true resourceGroupName: "myResourceGroup" tenantID: "e8e4b6ba-ff32-4c88-a9af-EXAMPLEID" secretRef: name: azure-ear-creds namespace: mongodb-atlas-system EOF
Check for successful enablement of encryption at rest on your project.
Run the following command to check whether Atlas Kubernetes Operator detects the Azure Key Vault configuration for your project.
kubectl get atlasprojects my-project -o=jsonpath='{.status.conditions[?(@.type=="EncryptionAtRestReadyType")].status}
true
Enable encryption at rest using customer-managed keys for your cluster.
After you enable encryption at rest using customer-managed keys for your project, you must enable it at the cluster level to encrypt data.
Run the following command to add the
spec.deploymentSpec.encryptionAtRestProvider to
your
AtlasDeployment Custom Resource, which enables encryption at rest using your Azure key for this
cluster:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasDeployment metadata: name: my-cluster spec: name: Test Atlas Operator Cluster DeploymentSpec: encryptionAtRestProvider: "AZURE" EOF
Create a secret with your Google Cloud credentials.
Create a secret with the values for the following parameters:
Parameter | Description |
|---|---|
| Unique resource path that displays the key version resource ID for your Google Cloud KMS. |
| JSON file that contains the Google Cloud KMS credentials from your Google Cloud account. IMPORTANT: You must format the JSON object properly. Ensure you properly indent the credential fields within the file. |
The following example shows the contents of a
ServiceAccountKey JSON file:
{ "type": "service_account", "project_id": "my-project-common-0", "private_key_id": "e120598ea4f88249469fcdd75a9a785c1bb3\", "private_key": "-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\", "client_email": "my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\", "client_id": "10180967717292066", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com" "universe_domain": "googleapis.com" }
To create and label a secret, run the following commands with your Google Cloud credentials:
kubectl create secret generic azure-ear-creds \ --from-literal="KeyVersionResourceID=<resource-id>" \ --from-file="ServiceAccountKey=<your-service-account-key-files.json>" \ -n mongodb-atlas-system
kubectl label secret gcp-ear-creds atlas.mongodb.com/type=credentials -n mongodb-atlas-system
Specify the spec.encryptionAtRest.googleCloudKms parameter.
Add the
spec.encryptionAtRest.googleCloudKmsobject to thespec.encryptionAtRestarray in theAtlasProjectCustom Resource, including the following parameters:ParameterDescriptionspec.encryptionAtRest.googleCloudKms.enabledFlag that indicates whether this project uses Google Cloud KMS to encrypt data at rest. To enable encryption at rest using Google Cloud KMS, set this parameter to
true. To disable encryption at rest using Google Cloud KMS, set this parameter tofalse. If you disable encryption at rest using Google Cloud KMS, Atlas Kubernetes Operator removes the configuration details.spec.encryptionAtRest.googleCloudKms.secretRef.nameName of the secret that contains your Google Cloud credentials.
spec.encryptionAtRest.googleCloudKms.secretRef.namespaceNamespace that contains your Google Cloud credentials. If unspecified, this parameter defaults to the namespace of the
AtlasProjectcustom resource.You must use a secret that contains the values for
KeyVersionResourceIDandServiceAccountKey.Run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project encryptionAtRest: googleCloudKms: enabled: true secretRef: name: gcp-ear-creds namespace: mongodb-atlas-system EOF
Check for successful enablement of encryption at rest on your project.
Run the following command to check whether Atlas Kubernetes Operator detects the Google Cloud KMS configuration for your project.
kubectl get atlasprojects my-project -o=jsonpath='{.status.conditions[?(@.type=="EncryptionAtRestReadyType")].status}
true
Enable encryption at rest using customer-managed keys for your cluster.
After you enable encryption at rest using customer-managed keys for your project, you must enable it at the cluster level to encrypt data.
Run the following command to add the
spec.deploymentSpec.encryptionAtRestProvider to
your
AtlasDeployment Custom Resource, which enables encryption at rest using your Google Cloud key for this
cluster:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasDeployment metadata: name: my-cluster spec: name: Test Atlas Operator Cluster DeploymentSpec: encryptionAtRestProvider: "GCP" EOF