You were redirected from a different version of the documentation. Click here to go back.

Encrypted Backup Snapshots

Cloud Manager can encrypt any backup job that it had stored in a snapshot store. The snapshot must come from a database that ran MongoDB Enterprise 4.2 or later with:


Cloud Manager doesn’t support transitioning from local key encryption to KMIP server-based encryption.

To encrypt backups, you use a master key that a KMIP-compliant key management appliance generates and maintains. This master key encrypts key that encrypts the database.

Cloud Manager creates snapshots of FCV of 4.2 or later deployments by copying the bytes on disk from a host’s storage.dbPath to the snapshot store. If you enable MongoDB Encryption at Rest for the host you are backing up, the bytes that Cloud Manager copies to the snapshot store are already encrypted. Cloud Manager encrypts data at the storage engine layer when you write data to a host’s disk.

For FCV of 4.2 or later deployments, Cloud Manager components don’t interact with the KMIP host when taking snapshots.


A host running KMIP-compliant key management to generate and store encryption keys.


You must maintain all keys, even rotated keys, in the KMIP host.

Encrypt Your Backup Job


Click Continuous Backup.

If you have not yet enabled Cloud Manager Backup, click Begin Setup and complete the wizard. This results in a completed backup setup, so you can skip the rest of this procedure.


Start backing up the process.

From the list of processes, navigate to the Status column for the process you want to back up and click Start.


In the Start Backup sidebar, configure the backup source and storage engine.

Menu Possible Values Default Value
Sync source
  • Any secondary (Ops Manager chooses)
  • Any specific secondary
  • The primary node

any secondary

Using a secondary is preferred because it minimizes performance impact on the primary.

Storage Engine


Cloud Manager limits backups to deployments with fewer than 100,000 files. Files includes collections and indexes.


Set Authentication Mechanisms.

If Automation doesn’t manage your deployment and your deployment requires authentication, specify the authentication mechanism and credentials.

Specify the following, as appropriate:

Auth Mechanism

The authentication mechanism that the MongoDB host uses.

MongoDB Community options include:

MongoDB Enterprise options also include:

DB Username

For Username/Password or LDAP authentication, the username used to authenticate the MongoDB Agent with the MongoDB deployment.

See Configure MongoDB Agent for Authentication or Configure MongoDB Agent for LDAP.

DB Password For Username/Password or LDAP authentication, the password used to authenticate the MongoDB Agent with the MongoDB deployment.
Allows TLS for connections

If checked, Backup uses TLS to connect to MongoDB.

See Configure MongoDB Agent to Use TLS.


Click Start.