Encryption at Rest and TLS in Transit

Securing MongoDB data requires protection at two distinct points: encryption in transit (data moving between clients and MongoDB, or between replica set members) and encryption at rest (data stored on disk). Authentication controls who can connect, but even an authenticated user operating over an unencrypted connection exposes credentials and queries to network sniffing. Together, TLS and encryption at rest provide defence-in-depth.

TLS (Transport Layer Security) encrypts the network channel between MongoDB clients, drivers, and mongod/mongos instances. Enabling TLS prevents eavesdropping and man-in-the-middle attacks on the wire. MongoDB 4.2+ supports only TLS 1.1 and higher, with TLS 1.3 available on modern platforms. Always use TLS in any environment where network traffic could be intercepted — which includes cloud VPCs despite VPC-level isolation.