Cloud Manager can encrypt any backup job that it had stored in a snapshot store. The snapshot must come from a database that ran MongoDB Enterprise 4.2 or later with:
Cloud Manager doesn't support transitioning from local key encryption to KMIP server-based encryption.
To encrypt backups, you use a master key that a KMIP-compliant key management appliance generates and maintains. This master key encrypts key that encrypts the database.
Cloud Manager creates snapshots of
FCV of 4.2 or later deployments by
copying the bytes on disk from a host's
storage.dbPath to the
snapshot store. If you enable MongoDB Encryption at Rest for the host
you are backing up, the bytes that Cloud Manager copies to the snapshot store
are already encrypted. Cloud Manager encrypts data at the storage engine layer
when you write data to a host's disk.
FCV of 4.2 or later deployments, Cloud Manager components don't
interact with the KMIP host when taking snapshots.
A host running KMIP-compliant key management to generate and store encryption keys.
You must maintain all keys, even rotated keys, in the KMIP host.
Using a secondary is preferred because it minimizes performance impact on the primary.
Cloud Manager limits backups to deployments with fewer than 100,000 files. Files includes collections and indexes.
If Automation doesn't manage your deployment and your deployment requires authentication, specify the authentication mechanism and credentials.
Specify the following, as appropriate:
LDAP authentication, the
password used to authenticate the MongoDB Agent with the MongoDB
Allows TLS for connections
If checked, Backup uses TLS to connect to MongoDB.