Encrypted Backup Snapshots
On this page
Snapshot encryption depends upon which
version of MongoDB your database is compatible.
This Feature Compatibility Version ranges from the current version
to one version earlier. For MongoDB 4.2, the FCV can be 4.0 or
4.2. You can only create encrypted snapshots from encrypted
clusters.
Ops Manager can encrypt any backup job that it had stored in a snapshot store. The snapshot must come from a database that ran MongoDB Enterprise 4.2 or later with:
FCV of 4.2 or later and
WiredTiger storage engine.
Warning
Ops Manager doesn't support transitioning from local key encryption to KMIP server-based encryption.
Note
Ops Manager no longer supports the creation of cluster snapshots from database deployments that use local key encryption. If you encrypt a database deployment with local key encryption, the snapshot fails. To encrypt snapshots, use KMIP-based encryption with your database deployments.
To encrypt backups, use a master key that a KMIP-compliant key management appliance generates and maintains. This master key encrypts key that encrypts the database.
Ops Manager creates snapshots of FCV of 4.2 or later deployments by
copying the bytes on disk from a host's storage.dbPath to the
snapshot store. If you enable MongoDB Encryption at Rest for the host
you are backing up, the bytes that Ops Manager copies to the snapshot store
are already encrypted. Ops Manager encrypts data at the storage engine layer
when you write data to a host's disk.
For FCV of 4.2 or later deployments, Ops Manager components don't interact with the KMIP host when taking snapshots.
Important
The Backup Daemon requires a connection to the KMIP host to process a queryable restore job of an encrypted backup.
Ops Manager supports encryption for any backup job that was stored in a head database running MongoDB Enterprise 3.4 or later with the WiredTiger storage engine.
Warning
Ops Manager doesn't support transitioning from local key encryption to KMIP server-based encryption.
To encrypt backups, you use a master key that a KMIP-compliant key management appliance generates and maintains. This master key encrypts the head databases. As the Backup Daemon creates snapshots from the head databases, resulting snapshots from the encrypted head databases are themselves encrypted.
To restore from an encrypted backup, you need the same master key used to encrypt the backup and either the same certificate as is on the Backup Daemon host or a new certificate provisioned with that key from the KMIP host. This corresponds to the value in the KMIP client certificate path field.
Prerequisites
A host running KMIP-compliant key management to generate and store encryption keys.
Important
Clusters running MongoDB FCV 4.2 or later must use KMIP servers. These clusters don't support local key management using files.
Head databases use MongoDB Enterprise 3.4 or later with the WiredTiger storage engine.
A valid KMIP client certificate and KMIP host Certificate Authority files. These files are used to authenticate Ops Manager to the KMIP host. The client certificate on the Backup Daemon host must have access to all keys in the KMIP host.
Important
You must maintain all keys, even rotated keys, in the KMIP host.
Set up KMIP Host Configuration for Ops Manager
Complete the KMIP fields.
Update the following KMIP host fields in the KMIP Server Configuration section:
Type the FQDN for the KMIP host. | |
Type the port on which the KMIP host is listening for
KMIP connections. The default KMIP port is 5696. | |
Type the absolute path for the Certificate Authority file on the Ops Manager
host. This must be the same Certificate Authority file stored on the
KMIP host. |
Configure Your Project to Use KMIP
Note
All deployments in the project use the same KMIP client certificate file to authenticate.
Complete the KMIP fields.
KMIP client certificate path | Type the absolute path for the client certificate file on the Ops Manager host. Ops Manager uses this certificate to authenticate itself to the KMIP server. A single file can hold both the CA and client certificate. |
KMIP client certificate password | Optional Only enter if the certificate specified in
KMIP client certificate path is encrypted. |
Encrypt Your Backup Job
In the Start Backup sidebar, configure the backup source and storage engine.
Menu | Possible Values | Default Value |
|---|---|---|
Sync source |
|
Using a secondary is preferred because it minimizes performance impact on the primary. |
Storage Engine | WiredTiger Ops Manager limits backups to deployments with fewer than 100,000 files. Files includes collections and indexes. | WiredTiger |
Set Authentication Mechanisms.
If Automation doesn't manage your deployment and your deployment requires authentication, specify the authentication mechanism and credentials.
Specify the following, as appropriate:
Auth Mechanism | The authentication mechanism that the MongoDB host uses. MongoDB Community options include:
MongoDB Enterprise options also include: |
DB Username | For See Configure MongoDB Agent for Authentication or Configure MongoDB Agent for LDAP. |
DB Password | For Username/Password or LDAP authentication, the
password used to authenticate the MongoDB Agent with the MongoDB
deployment. |
Allows TLS for connections | If checked, Backup uses TLS to connect to MongoDB. |
Important
For existing backups in a project, enabling encryption requires an initial backup sync to recreate the backups' head databases.
In the Start Backup sidebar, configure the backup source and storage engine.
Menu | Possible Values | Default Value |
|---|---|---|
Sync source |
|
Using a secondary is preferred because it minimizes performance impact on the primary. |
Storage Engine |
See the considerations in Storage Engines. | Same storage engine as the primary node of the database being
backed up. |
If the storage engine is WiredTiger, you can enable encryption. To enable encryption, select Enable Encryption. Select only if you have set up KMIP server for your backups and configured the project to use KMIP.
Set Authentication Mechanisms.
If Automation doesn't manage your deployment and your deployment requires authentication, specify the authentication mechanism and credentials.
Specify the following, as appropriate:
Auth Mechanism | The authentication mechanism that the MongoDB host uses. MongoDB Community options include:
MongoDB Enterprise options also include: |
DB Username | For See Configure MongoDB Agent for Authentication or Configure MongoDB Agent for LDAP. |
DB Password | For Username/Password or LDAP authentication, the
password used to authenticate the MongoDB Agent with the MongoDB
deployment. |
Allows TLS for connections | If checked, Backup uses TLS to connect to MongoDB. |
To filter which namespaces get backed up, click Advanced Settings.
To exclude databases and collections from this backup:
Click Blacklist.
Enter the first database and collection in the text box. For collections, enter the full namespace:
<database>.<collection>.To exclude additional databases or collections, click the Add another link then repeat the previous step.
To include only certain databases and collections for this backup:
Click Access List.
Enter the first database and collection in the text box. For collections, enter the full namespace:
<database>.<collection>.To include additional databases or collections, click the Add another link then repeat the previous step.