• Security >
• Encrypted Backup Snapshots

Encrypted Backup Snapshots

Snapshot encryption depends upon which version of MongoDB your database is compatible. This Feature Compatibility Version ranges from the current version to one version earlier. For MongoDB 4.2, the FCV can be 4.0 or 4.2. You can only create encrypted snapshots from encrypted clusters.

• FCV 4.2 or later
• FCV 4.0 or earlier

Ops Manager can encrypt any backup job that it had stored in a snapshot store. The snapshot must come from a database that ran MongoDB Enterprise 4.2 or later with:

• FCV of 4.2 or later and
• WiredTiger storage engine.

Note

Ops Manager no longer supports the creation of cluster snapshots from database deployments that use local key encryption. If you encrypt a database deployment with local key encryption, the snapshot fails. To encrypt snapshots, use KMIP-based encryption with your database deployments.

To encrypt backups, use a master key that a KMIP-compliant key management appliance generates and maintains. This master key encrypts key that encrypts the database.

Ops Manager creates snapshots of FCV of 4.2 or later deployments by copying the bytes on disk from a host’s storage.dbPath to the snapshot store. If you enable MongoDB Encryption at Rest for the host you are backing up, the bytes that Ops Manager copies to the snapshot store are already encrypted. Ops Manager encrypts data at the storage engine layer when you write data to a host’s disk.

For FCV of 4.2 or later deployments, Ops Manager components don’t interact with the KMIP host when taking snapshots.

Important

The Backup Daemon requires a connection to the KMIP host to process a queryable restore job of an encrypted backup.

See also

MongoDB Encryption at Rest

Ops Manager supports encryption for any backup job that was stored in a head database running MongoDB Enterprise 3.4 or later with the WiredTiger storage engine.

To encrypt backups, you use a master key that a KMIP-compliant key management appliance generates and maintains. This master key encrypts the head databases. As the Backup Daemon creates snapshots from the head databases, resulting snapshots from the encrypted head databases are themselves encrypted.

To restore from an encrypted backup, you need the same master key used to encrypt the backup and either the same certificate as is on the Backup Daemon host or a new certificate provisioned with that key from the KMIP host. This corresponds to the value in the KMIP client certificate path field.

Prerequisites

A host running KMIP-compliant key management to generate and store encryption keys.

Important

Clusters running MongoDB FCV 4.2 or later must use KMIP servers. These clusters don’t support local key management using files.

• Head databases use MongoDB Enterprise 3.4 or later with the WiredTiger storage engine.
• A valid KMIP client certificate and KMIP host Certificate Authority files. These files are used to authenticate Ops Manager to the KMIP host. The client certificate on the Backup Daemon host must have access to all keys in the KMIP host.

Important

You must maintain all keys, even rotated keys, in the KMIP host.

Set up KMIP Host Configuration for Ops Manager

1

Navigate to the Backup configuration tab.

1. Click Admin.
2. Click General.
3. Click Ops Manager Config.
4. Click Backup tab.

See also

Ops Manager Config

2

Complete the KMIP fields.

Update the following KMIP host fields in the KMIP Server Configuration section:

KMIP Server Host	Type the FQDN for the KMIP host.
KMIP Server Port	Type the port on which the KMIP host is listening for KMIP connections. The default KMIP port is 5696.
KMIP Server CA File	Type the absolute path for the Certificate Authority file on the Ops Manager host. This must be the same Certificate Authority file stored on the KMIP host.

3

Click Save.

Configure Your Project to Use KMIP

Note

All deployments in the project use the same KMIP client certificate file to authenticate.

1

Navigate to the Project Backup configuration page.

1. Click Admin
2. Click Projects
3. Under the <Project Name>, click More ….
4. In the row for Backup Configuration, click View.

See also

Projects

2

Complete the KMIP fields.

KMIP client certificate path	Type the absolute path for the client certificate file on the Ops Manager host. Ops Manager uses this certificate to authenticate itself to the KMIP server. A single file can hold both the CA and client certificate.
KMIP client certificate password	Optional Only enter if the certificate specified in KMIP client certificate path is encrypted.

3

Click Save Changes.

Encrypt Your Backup Job

1

Click Continuous Backup.

If you have not yet enabled Ops Manager Backup, click Begin Setup and complete the wizard. This results in a completed backup setup, so you can skip the rest of this procedure.

2

Start backing up the process.

From the list of processes, navigate to the Status column for the process you want to back up and click Start.

3

In the Start Backup sidebar, configure the backup source and storage engine.

Menu	Possible Values	Default Value
Sync source	Any secondary (Ops Manager chooses) Any specific secondary The primary node	any secondary Using a secondary is preferred because it minimizes performance impact on the primary.
Storage Engine	WiredTiger Ops Manager limits backups to deployments with fewer than 100,000 files. Files includes collections and indexes.	WiredTiger

4

Set Authentication Mechanisms.

If Automation doesn’t manage your deployment and your deployment requires authentication, specify the authentication mechanism and credentials.

Specify the following, as appropriate:

Auth Mechanism	The authentication mechanism that the MongoDB host uses. MongoDB Community options include: Username/Password X.509 Client Certificate MongoDB Enterprise options also include: Kerberos LDAP
DB Username	For Username/Password or LDAP authentication, the username used to authenticate the MongoDB Agent with the MongoDB deployment. See Configure MongoDB Agent for Authentication or Configure MongoDB Agent for LDAP.
DB Password	For Username/Password or LDAP authentication, the password used to authenticate the MongoDB Agent with the MongoDB deployment.
Allows TLS for connections	If checked, Backup uses TLS to connect to MongoDB. See Configure MongoDB Agent to Use TLS.

5

Click Start.

Important

For existing backups in a project, enabling encryption requires an initial backup sync to recreate the backups’ head databases.

1

Click Continuous Backup.

If you have not yet enabled Ops Manager Backup, click Begin Setup and complete the wizard. This results in a completed backup setup, so you can skip the rest of this procedure.

2

Start backing up the process.

From the list of processes, navigate to the Status column for the process you want to back up and click Start.

3

In the Start Backup sidebar, configure the backup source and storage engine.

Menu	Possible Values	Default Value
Sync source	Any secondary (Ops Manager chooses) Any specific secondary The primary node	any secondary Using a secondary is preferred because it minimizes performance impact on the primary.
Storage Engine	MongoDB Memory Mapped Files or WiredTiger. If you select this option, Ops Manager limits backups to deployments with fewer than 100,000 files. Files includes collections and indexes. See the considerations in Storage Engines.	Same storage engine as the primary node of the database being backed up.

If the storage engine is WiredTiger, you can enable encryption. To enable encryption, select Enable Encryption. Select only if you have set up KMIP server for your backups and configured the project to use KMIP.

4

Set Authentication Mechanisms.

If Automation doesn’t manage your deployment and your deployment requires authentication, specify the authentication mechanism and credentials.

Specify the following, as appropriate:

Auth Mechanism	The authentication mechanism that the MongoDB host uses. MongoDB Community options include: Username/Password X.509 Client Certificate MongoDB Enterprise options also include: Kerberos LDAP
DB Username	For Username/Password or LDAP authentication, the username used to authenticate the MongoDB Agent with the MongoDB deployment. See Configure MongoDB Agent for Authentication or Configure MongoDB Agent for LDAP.
DB Password	For Username/Password or LDAP authentication, the password used to authenticate the MongoDB Agent with the MongoDB deployment.
Allows TLS for connections	If checked, Backup uses TLS to connect to MongoDB. See Configure MongoDB Agent to Use TLS.

5

To filter which namespaces get backed up, click Advanced Settings.

To exclude databases and collections from this backup:

1. Click Blacklist.
2. Enter the first database and collection in the text box. For collections, enter the full namespace: <database>.<collection>.
3. To exclude additional databases or collections, click the Add another link then repeat the previous step.

To include only certain databases and collections for this backup:

1. Click Access List.
2. Enter the first database and collection in the text box. For collections, enter the full namespace: <database>.<collection>.
3. To include additional databases or collections, click the Add another link then repeat the previous step.

6

Click Start.

←   Manage Two-Factor Authentication for Ops Manager Rotate Master KMIP Keys  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.