Encrypted Backup Snapshots

On this page

Prerequisites

Encrypt Your Backup Job

Cloud Manager will no longer support Automation, Backup, and Monitoring for MongoDB 3.6 and 4.0 after August 30th, 2024. Please upgrade your MongoDB deployment or migrate to Atlas.

OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.: The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.

Cloud Manager can encrypt any backup job that it had stored in a snapshot store. The snapshot must come from a database that ran MongoDB Enterprise 4.2 or later with:

FCV 4.2 or later and
WiredTiger storage engine.

Warning

Cloud Manager doesn't support transitioning from local key encryption to KMIP server-based encryption.

To encrypt backups, you use a master key that a KMIP-compliant key management appliance generates and maintains. This master key encrypts key that encrypts the database.

Cloud Manager creates snapshots of FCV 4.2 or later deployments by copying the bytes on disk from a host's storage.dbPath to the snapshot store. If you enable MongoDB Encryption at Rest for the host you are backing up, the bytes that Cloud Manager copies to the snapshot store are already encrypted. Cloud Manager encrypts data at the storage engine layer when you write data to a host's disk.

For FCV 4.2 or later deployments, Cloud Manager components don't interact with the KMIP host when taking snapshots.

Tip

Prerequisites

A host running KMIP-compliant key management to generate and store encryption keys.

Important

You must maintain all keys, even rotated keys, in the KMIP host.

Encrypt Your Backup Job

In MongoDB Cloud Manager, go to the Continuous Backup page for your project.

If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Click Continuous Backup in the sidebar.
The Continuous Backup page displays.

Enable Cloud Manager Backup.

If you have not yet enabled Cloud Manager Backup, click Begin Setup and complete the wizard. This results in a completed backup setup, so you can skip the rest of this procedure.

Start backing up the process.

From the list of processes, navigate to the Status column for the process you want to back up and click Start.

In the Start Backup sidebar, configure the backup source and storage engine.

Menu	Possible Values	Default Value
Sync source	Any secondary (Ops Manager chooses) Any specific secondary The primary node	`any secondary` Using a secondary is preferred because it minimizes performance impact on the primary.
Storage Engine	WiredTiger Cloud Manager limits backups to deployments with fewer than 100,000 files. Files includes collections and indexes.	`WiredTiger`

Set Authentication Mechanisms.

If Automation doesn't manage your deployment and your deployment requires authentication, specify the authentication mechanism and credentials.

Specify the following, as appropriate:

Auth Mechanism	The authentication mechanism that the MongoDB host uses. MongoDB Community options include: Username/Password X.509 Client Certificate MongoDB Enterprise options also include: Kerberos LDAP
DB Username	For `Username/Password` or `LDAP` authentication, the username used to authenticate the MongoDB Agent with the MongoDB deployment. See Configure MongoDB Agent for Authentication or Configure MongoDB Agent for LDAP.
DB Password	For `Username/Password` or `LDAP` authentication, the password used to authenticate the MongoDB Agent with the MongoDB deployment.
Allows TLS for connections	If checked, Backup uses TLS to connect to MongoDB. See Configure MongoDB Agent to Use TLS.

Click Start.

Back

Advanced Options

Rotate Master KMIP Keys