https://jira.mongodb.org/browse/HELP-19346 raised by a TSE engineer mentioned how the current docs page for Encrypted Snapshots do not contain sufficient explanation on how a Snapshot is encrypted for FCV 4.2.
I would suggest to add the following chunk of text to the fcv 4.2 or greater to supplement the existing text.
This should be backported to Ops Manager 4.2 docs as well.
Backups for FCV 4.2 occur by copying the bytes on disk from the replica set node’ dbpath and saving them into the snapshot store. If a node has MongoDB Encryption at Rest enabled, then the bytes that we copy are already encrypted as Encryption at Rest performs encryption at the Storage Engine layer when writing the bytes on to disk. For FCV 4.2, in the Snapshot process, there are no Ops Manager components that interact with the KMIP server. However, the Backup Daemon will require a connection to the KMIP server to process a Queryable Restore Job.