Docs Menu
Docs Home
MongoDB Atlas
/ /

Access an Encrypted Snapshot

On this page

  • Considerations
  • Procedure

When you use Encryption at Rest using Customer Key Management, Atlas encrypts the mongod data files in your snapshots. If you want to download and restore a snapshot, the mongod can't read these data files unless it has access to a KMIP server that can provide the appropriate decryption key. You can use the KMIP Proxy Standalone to access the mongod data files. You download the KMIP Proxy Standalone as a binary for your specific operating system.

By default, the KMIP Proxy Standalone uses the credentials stored in the /<dbPath>/cloudProviderCredentials/<keyID>.<cloudProvider>.metadata file.

  • If you rotate keys, these credentials reflect the latest key rotation.

  • If the KMIP Proxy Standalone binary is unable to decrypt the snapshots using these credentials, the binary shows an error message stating that you must update the metadata files on disk that contain the old credentials. You can update the metadata file with any text editor.

  • If you use role-based access to your encryption key, the /<dbPath>/cloudProviderCredentials/<keyID>.<cloudProvider>.metadata file won't contain valid credentials.

    Take one of the following actions:

    • Update the /<dbPath>/cloudProviderCredentials/<keyID>.<cloudProvider>.metadata file. Use an empty roleId. Provide temporary credentials based on the IAM role that can access your encryption key in the accessKeyId and secretAccessKey fields:

      "accessKeyId": "TemporaryAccessKeyId",
      "secretAccessKey": "TemporarySecretAccessKey",
      "roleId": "",
      "region": "us-east-1"
    • Start the KMIP Proxy Standalone binary with the following options:

      • awsAccessKey

      • awsSecretAccessKey

      • awsSessionToken

      • awsRegion

    To generate temporary credentials based on an IAM role, see the AWS documentation.

  1. Click Databases in the top-left corner of Atlas.

  2. In the Clusters view, click the name of the cluster for which you want to download a snapshot.

  3. Click the Backup tab.

  4. In the Actions column, expand the Actions menu, and click Download for the snapshot that you want to download.

    Atlas prepares the snapshot. When it is ready to download, Atlas generates a one-time use download link that expires after four hours. Atlas emails you the download link and displays it in the Restores & Downloads tab.


In the Preparing Snapshot Download modal, click Download KMIP Proxy and select the binary for your operating system.


You can also download the KMIP Proxy Standalone from the following locations in the Atlas user interface:

  • On the Security Advanced page, in the Encryption at Rest using your Key Management section.

  • In the Backup Restores & Downloads tab of the cluster.

  1. Open a terminal or command prompt window.

  2. Invoke the following command with the specified parameters:

The KMIP Proxy Standalone generates a KMIP certificate for localhost and writes it to the dbpath.


Invoke the following command with the specified parameters:

mongod --dbpath <dbpath> --port <mongodPort> --enableEncryption --kmipPort <kmipPort> --kmipServerName --kmipServerCAFile <dbpath>/kmipCA.pem --kmipActivateKeys false --kmipClientCertificateFile <dbpath>/kmipClient.pem
Path to the directory where the mongod stores its data.
Port on which the mongod listens for client connections.
Port on which the KMIP server listens.
Path to the CA File used to validate secure client connection to the KMIP server.
For MongoDB server v5.2 or later, flag that specifies whether to activate or disable keys for the MongoDB server. Value for this parameter must be false when you start the MongoDB server.
Path to the client certificate used for authenticating MongoDB to the KMIP server.

The mongod acts as a KMIP server bound to and runs on the specified kmipPort.


Access your data files by connecting to the mongod through the mongosh, MongoDB Compass, or through standard utilities such as mongodump or mongorestore.

You can also restore a snapshot using Encryption at Rest.

← Encryption