Docs Menu
Docs Home
MongoDB Cloud Manager

Encrypted Backup Snapshots

On this page

  • Prerequisites
  • Encrypt Your Backup Job

Cloud Manager can encrypt any backup job that it had stored in a snapshot store. The snapshot must come from a database that ran MongoDB Enterprise 4.2 or later with:


Cloud Manager doesn't support transitioning from local key encryption to KMIP server-based encryption.

To encrypt backups, you use a master key that a KMIP-compliant key management appliance generates and maintains. This master key encrypts key that encrypts the database.

Cloud Manager creates snapshots of FCV of 4.2 or later deployments by copying the bytes on disk from a host's storage.dbPath to the snapshot store. If you enable MongoDB Encryption at Rest for the host you are backing up, the bytes that Cloud Manager copies to the snapshot store are already encrypted. Cloud Manager encrypts data at the storage engine layer when you write data to a host's disk.

For FCV of 4.2 or later deployments, Cloud Manager components don't interact with the KMIP host when taking snapshots.


See also:

A host running KMIP-compliant key management to generate and store encryption keys.


You must maintain all keys, even rotated keys, in the KMIP host.


If you have not yet enabled Cloud Manager Backup, click Begin Setup and complete the wizard. This results in a completed backup setup, so you can skip the rest of this procedure.


From the list of processes, navigate to the Status column for the process you want to back up and click Start.

Possible Values
Default Value
Sync source
  • Any secondary (Ops Manager chooses)

  • Any specific secondary

  • The primary node

any secondary

Using a secondary is preferred because it minimizes performance impact on the primary.

Storage Engine


Cloud Manager limits backups to deployments with fewer than 100,000 files. Files includes collections and indexes.


If Automation doesn't manage your deployment and your deployment requires authentication, specify the authentication mechanism and credentials.

Specify the following, as appropriate:

Auth Mechanism

The authentication mechanism that the MongoDB host uses.

MongoDB Community options include:

MongoDB Enterprise options also include:

DB Username

For Username/Password or LDAP authentication, the username used to authenticate the MongoDB Agent with the MongoDB deployment.

See Configure MongoDB Agent for Authentication or Configure MongoDB Agent for LDAP.

DB Password
For Username/Password or LDAP authentication, the password used to authenticate the MongoDB Agent with the MongoDB deployment.
Allows TLS for connections

If checked, Backup uses TLS to connect to MongoDB.

See Configure MongoDB Agent to Use TLS.

← Advanced Options for Federated Authentication