Database Encryption Basics: When using MongoDB Atlas, are data automatically encrypted?

Question

I've been following tutorials and courses to learn developing and I try to be mindful of security.

When using NodeJS, MongoDB Atlas + Mongoose, should one encrypt the data manually, or does MongoDB Atlas encrypt it automatically?

Thanks for taking the time to read.

Have a good one!

Answer 1

There are multiple places where "data" can be encrypted.

1. When the data is stored on disk by the database. This is called encryption at rest. See https://docs.mongodb.com/manual/core/security-encryption-at-rest/ for the core server feature, https://docs.atlas.mongodb.com/cluster-config/encryption/ for how to configure it in Atlas.

2. When the data is paged out to swap space by the operating system on the machine running the database server. The swap needs to be encrypted too. I don't know whether Atlas does this, asking this question through the official support channels is probably best.

3. When the data is transfered between the database and the application. This is called encryption in transit and is accomplished via TLS. All Atlas deployments use TLS, see https://docs.atlas.mongodb.com/reference/faq/security/.

Additionally, even though the above mechanisms encrypt the data at various points in its life, the systems that operate on the data (i.e. the database server) as well as the people who manage those systems have access to plaintext at all times. To prevent MongoDB server and company from being able to read your plaintext, use client-side encryption (https://docs.mongodb.com/manual/core/security-client-side-encryption/). This also mitigates unencrypted swap (if this is what Atlas uses).