I am running a 3 member replica set of Percona MongoDB server, deployed by the Percona Kubernetes Operator. I have encryption at rest enabled. I have verified in the MongoDB logs that it is enabled, by checking for the line
percona_encryption_extension_init as per WiredTiger Encryption at Rest with Percona Server for MongoDB - Percona Database Performance Blog.
In addition, I am using Percona backup manager, to store backups inside remote s3 storage. If I completely delete my Kubernetes cluster, and create a new cluster, which generates for itself a new mongodb encryption key, I am able to restore my previous backup from my remote storage.
I was expecting this action to not work, due to the encryption keys not matching.
My question - are the data files stored by Percona backup manager in S3 unencrypted? Or am I misunderstanding what is happening here?
I would expect this action to only work if my new cluster had the same encryption key.