Encryption at Rest
Learn how to encrypt MongoDB data at rest using customer-managed encryption keys (BYOK). Understand how to integrate key management systems (KMS) and configure encryption policies to enhance security and compliance.
|
Upon completion of the Encryption at Rest skill and assessment, you will earn a Credly Badge that you are able to share with your network |
Learning Objectives
Identify and implement MongoDB's encryption at rest solutions
Learn how Encryption at Rest works and the different options available in MongoDB.
Enable Encrypted Storage Engine in Enterprise Advance deployments
Configure the Key Management Interoperability Protocol (KMIP) and enable Encrypted Storage Engine.
Configure Encrypted Storage Engine using Cloud Key Management System (KMS) integration in MongoDB Atlas
Learn about the role of Cloud KMS in enabling Encrypted Storage Engine in MongoDB Atlas.
Who is this Course Good for?
If you are a developer, operations engineer, or security professional responsible for protecting application data, this Encryption at Rest (BYOK) Skill Badge is designed for you. It is especially valuable if you work with MongoDB in regulated or security‑sensitive environments and need to understand how encryption at rest fits into your broader data protection strategy. You will benefit from this skill if you already have a basic familiarity with MongoDB deployments and want to go deeper into how the platform secures data on disk, how to configure encryption options, and how to integrate MongoDB with your existing key management and security controls. Whether you manage clusters in MongoDB Atlas or operate self‑managed MongoDB Enterprise Advanced, this badge will help you make informed decisions about encryption, keys, and compliance‑driven security requirements.
What to Expect in this Course
In this skill badge, you will learn what encryption at rest means in practice for MongoDB and why it is a critical layer of security for modern applications. The course begins by grounding you in the core problem: when data is written to disk on servers — often distributed across multiple data centers in the cloud — it is exposed to risks such as physical theft, unauthorized access by other tenants, or misuse if storage media is compromised. You explore how encryption at rest mitigates these threats by ensuring that data on disk cannot be read without access to the appropriate encryption keys.
From there, you examine how MongoDB implements encryption at rest across different deployment models. On MongoDB Atlas, you see how encryption at rest is enabled by default, providing automatic protection without additional configuration, and how Bring Your Own Key (BYOK) options give you greater control and governance over encryption keys to align with internal security policies and regulatory expectations. You then turn to MongoDB Enterprise Advanced, where encryption at rest is configured directly at the file storage level, allowing you to tailor how and where encryption is applied based on your infrastructure and security requirements.
You will learn about the different types of encryption at rest, with an emphasis on the approaches MongoDB uses in cloud and self‑managed environments. The skill walks through how encryption at rest differs between MongoDB Atlas and on‑premises or self‑managed deployments, and how to enable encryption using a Key Management Interoperability Protocol (KMIP)‑compliant key management server. Throughout, you build a conceptual and practical understanding of how encryption, key management, and deployment choices work together to protect sensitive data while maintaining performance and operational simplicity. By the end, you will be able to explain and configure MongoDB encryption at rest options that align with your organization’s security posture.
Summary of the Course
- Understand the security risks associated with storing data on disk across servers and cloud data centers.
- Explain the role of encryption at rest in a modern data security strategy for MongoDB deployments.
- Describe how MongoDB Atlas implements encryption at rest by default and how BYOK enhances key control and governance.
- Configure and reason about encryption at rest options in self‑managed MongoDB Enterprise Advanced environments.
- Distinguish between encryption at rest implementations in MongoDB Atlas and self‑managed or on‑premises deployments.
- Explain the basics of key management and the use of KMIP‑compliant key management servers with MongoDB.
- Evaluate which MongoDB encryption at rest configuration best fits specific security, compliance, or operational requirements.
- Apply the concepts from the course to design and document a secure MongoDB deployment strategy that incorporates encryption at rest.
Sarah Evans | Senior Curriculum Engineer
Sarah is a Senior Curriculum Engineer on the Curriculum team at MongoDB. Prior to MongoDB, she taught and developed curricula for developer bootcamps. Sarah has a MAT degree from Columbia University Teachers College and studied Software Engineering at Flatiron School in Chicago, IL.
Parker Faucher | University Curriculum Engineer
Parker is a Curriculum Engineer on the Education team at MongoDB. Prior to joining MongoDB, he helped maintain a world class developer bootcamp that was offered in multiple universities. He is a self taught developer who loves being able to give back to the community that has helped him so much.
Daniel Curran | Senior Software Engineer
Daniel is a Senior Software Engineer at MongoDB. Before joining MongoDB, he worked as an Instructional Designer and Content Developer specialising in technical content for a host of international clients. Daniel's goal is to remove obstacles so learners can feel confident on their journey to become masters of MongoDB.
Joel Lord | Lead Curriculum Engineer
Joel is a Lead Curriculum Engineer at MongoDB, focused on helping developers build better applications through accessible educational content. He started his career in software nearly 25 years ago and only paused briefly to pick up a B.Sc. in computational astrophysics from Université Laval. Since then, he’s worked across software development, developer advocacy, and technical education. Outside of work, he enjoys stargazing, homebrewing, and providing emotional support to his two cats, who frequently make guest appearances on Zoom.
John McCambridge | Curriculum Engineer
John is a Curriculum Engineer on the University team at MongoDB. Before his work as a Curriculum Engineer, he was an instructor and teaching assistant for coding boot camps at UT (Austin), and UCLA. Additionally, he worked as a QA engineer for a startup called Coder and spent five years at Apple Inc. John is a passionate software engineer and educator who enjoys taking complex topics and making them digestible for the community.
Davenson Lombard | Senior Software Engineer
Davenson Lombard is a Senior Software engineer at MongoDB on the Education Team. Prior to that, Davenson was a Technical Services Engineer at MongoDB and a Customer Success architect at Confluent. Davenson holds a Bachelor in Electrical Engineering from Concordia University in Montreal.
Emilio Scalise | Staff Technologist
Emilio is a multi-skilled IT specialist with a vast knowledge in system administration, databases, software development, network security, and cloud solutions. He is currently a Staff Technologist at MongoDB, producing internal and external learning materials. With over 8 years at MongoDB Support Organization, including five as a Staff Technical Support Engineer, he's developed considerable expertise in MongoDB's products and cloud services. In addition, Emilio is a certified MySQL DBA and experienced in technical translations between English and Italian.
Manuel Fontan Garcia | Senior Technologist
Manuel is a Senior Technologist on the Curriculum team at MongoDB. Previously he was a Senior Technical Services Engineer in the Core team at MongoDB. In between Manuel worked as a database reliability engineer at Slack for a little over 2 years and then for Cognite until he re-joined MongoDB. With over 15 years experience in software development and distributed systems, he is naturally curious and holds a Telecommunications Engineering MSc from Vigo University (Spain) and a Free and Open Source Software MSc from Rey Juan Carlos University (Spain).
In this skill badge, I'll show you how encryption at rest can help you protect your data.
Let's take a moment to set the stage for why we need encryption at rest. When we store our data, it's saved to a disk on a server. If our app leverages the cloud, the data is likely spread across multiple data centers across the world. But what if someone physically steals the server or if another tenant in the same data center gains unauthorized access to the data stored on the server's disk? Although data centers are typically secure environments, it is crucial to safeguard our data against potential threats like these. One of the most effective strategies to mitigate such risks is to implement encryption at rest.
Whether you're using Atlas or managing MongoDB on your own, we have you covered.
With MongoDB Atlas, encryption at rest is enabled by default, ensuring that your data is automatically protected without any extra configuration.
Additionally, the opportunity to bring your own keys or BYOK gives you enhanced control and governance over your data, adding an extra layer of security tailored to your needs. Meanwhile, for MongoDB Enterprise advanced deployments, encryption at rest focuses on providing configurable encryption options directly at the storage level, allowing you to customize how your data is protected based on your specific requirements. Throughout this skill badge, we'll learn more about how encryption at rest works in MongoDB and how we can implement it. To start off, we'll explore the key benefits of encryption at rest. We'll take a closer look at the different types of encryption at rest with a focus on the specific approach MongoDB uses.
Additionally, we'll examine how encryption at rest differs between MongoDB Atlas and enterprise advanced deployments. After that, we'll focus on MongoDB Atlas and investigate how we can set up encryption at rest to use a bring your own keys (BYOK) approach. Then we'll learn how to enable encryption at rest using a server that is compliant with the key management interoperability protocol or KMIP in a MongoDB enterprise advanced deployment.
In this skill, you'll learn concepts through detailed videos and hands on labs. Then you'll be ready to take a short skill check to demonstrate your knowledge.
After passing the test, you'll receive an official Credly badge to share on LinkedIn so you can show off your knowledge and skills. Let's get started.
