Docs Home → Launch & Manage MongoDB → MongoDB Atlas
Access an Encrypted Snapshot
On this page
When you use Encryption at Rest using Customer Key Management, Atlas encrypts the
mongod
data files in your snapshots. If you want to download and
restore a snapshot, the mongod
can't read these data files unless it
has access to a KMIP server that can provide the appropriate
decryption key. You can use the KMIP Proxy Standalone to access the
mongod
data files. You download the KMIP Proxy Standalone as a
binary for your specific operating system.
Considerations
By default, the KMIP Proxy Standalone uses the credentials stored in
the
/<dbPath>/cloudProviderCredentials/<keyID>.<cloudProvider>.metadata
file.
If you rotate keys, these credentials reflect the latest key rotation.
If the KMIP Proxy Standalone binary is unable to decrypt the snapshots using these credentials, the binary shows an error message stating that you must update the metadata files on disk that contain the old credentials. You can update the metadata file with any text editor.
If you use role-based access to your encryption key, the
/<dbPath>/cloudProviderCredentials/<keyID>.<cloudProvider>.metadata
file won't contain valid credentials.Take one of the following actions:
Update the
/<dbPath>/cloudProviderCredentials/<keyID>.<cloudProvider>.metadata
file. Use an emptyroleId
. Provide temporary credentials based on the IAM role that can access your encryption key in theaccessKeyId
andsecretAccessKey
fields:{ "accessKeyId": "TemporaryAccessKeyId", "secretAccessKey": "TemporarySecretAccessKey", "roleId": "", "region": "us-east-1" } Start the KMIP Proxy Standalone binary with the following options:
awsAccessKey
awsSecretAccessKey
awsSessionToken
awsRegion
To generate temporary credentials based on an IAM role, see the AWS documentation.
Procedure
Download the encrypted snapshot.
Click Databases in the top-left corner of Atlas.
In the Database Deployments view, click the name of the database deployment for which you want to download a snapshot.
Click the Backup tab.
In the Actions column, expand the Actions menu, and click Download for the snapshot that you want to download.
Atlas prepares the snapshot. When it is ready to download, Atlas generates a one-time use download link that expires after four hours. Atlas emails you the download link and displays it in the Restores & Downloads tab.
Download the KMIP Proxy Standalone.
In the Preparing Snapshot Download modal, click Download KMIP Proxy and select the binary for your operating system.
Tip
You can also download the KMIP Proxy Standalone from the following locations in the Atlas user interface:
On the Security Advanced page, in the Encryption at Rest using your Key Management section.
In the Backup Restores & Downloads tab of the cluster.
Start a mongod
process.
Invoke the following command with the specified parameters:
mongod --dbpath <dbpath> --port <mongodPort> --enableEncryption --kmipPort <kmipPort> --kmipServerName 127.0.0.1 --kmipServerCAFile <dbpath>/kmipCA.pem --kmipActivateKeys false --kmipClientCertificateFile <dbpath>/kmipClient.pem
Parameter | Description |
---|---|
dbpath | Path to the directory where the mongod stores its
data. |
port | Port on which the mongod listens for client connections. |
kmipPort | Port on which the KMIP server listens. |
kmipServerCAFile | Path to the CA File used to validate secure client connection
to the KMIP server. |
kmipActivateKeys | For MongoDB server v5.2 or later, flag that specifies whether
to activate or disable keys for the MongoDB server. Value for
this parameter must be false when you start the MongoDB
server. |
kmipClientCertificateFile | Path to the client certificate used for authenticating MongoDB
to the KMIP server. |
The mongod
acts as a KMIP server bound to 127.0.0.1
and
runs on the specified kmipPort
.
Connect to the mongod
process.
Access your data files by connecting to the mongod
through the
mongosh
, MongoDB Compass, or through standard utilities such as
mongodump or
mongorestore.