This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Backup Encryption Keys


MongoDB 3.4 Enterprise enables administrators to encrypt backups. Administrators must integrate with a KMIP server to generate and manage a master key used to encrypt the head databases during a backup operation. MongoDB recommends periodically rotating the KMIP master key for increased security.


Rotate the KMIP Master Key

Use the PUT HTTP method with the following endpoint to rotate the KMIP master key. Issue one PUT request for each shard and another PUT request for the config server replica set.

PUT /api/public/v1.0/groups/GROUP-ID/backupConfigs/CLUSTER-ID/encryptionKey

Retrieve the KMIP Master Key ID

Use the GET HTTP method with the same endpoint to retrieve the ID of the current KMIP master key.

GET /api/public/v1.0/groups/GROUP-ID/backupConfigs/CLUSTER-ID/encryptionKey

Sample Entity

  "clusterId": "yyy",
  "groupId": "xxx",
  "encryptionKeyUUID: "1234-3456-4567-abcd-def0",

Entity Fields

Name Type Description
groupId string ID of the group that the encryption key belong to.
clusterId string ID of the cluster that tthe encryption keys belong to.
encryptionKeyUUID string The ID of the KMIP master key. This key is used to encrypt and restore the head databases for an encrypted backup.


Rotate the KMIP Master Key


curl -i -u "username:apiKey" -H "Content-Type: application/json" --digest -X PUT "https://<ops-manager-host>/api/public/v1.0/groups/5196d3628d022db4cbc26d9e/backupConfigs/5196e5b0e4b0fca9cc88334a/encryptionKey"


HTTP/1.1 201 Accepted

The new KMIP master key ID is not displayed in the response. Retrieve the new key with a GET request to the same endpoint, as shown in the next example.

Retrieve the KMIP Master Key ID


curl -i -u "username:apiKey" -H "Content-Type: application/json" --digest -X GET "https://<ops-manager-host>/api/public/v1.0/groups/5196d3628d022db4cbc26d9e/backupConfigs/5196e5b0e4b0fca9cc88334a/encryptionKey"


HTTP/1.1 200 OK
  "clusterId" : "5196e5b0e4b0fca9cc88334a",
  "groupId" : "5196d3628d022db4cbc26d9e",
  "encryptionKeyUUID": "1234-3456-4567-abcd-def0"
←   Checkpoints Restore Jobs  →