In-Use Encryption Connection Tab
On this page
In-Use Encryption is an Enterprise/Atlas only feature. You need a replica set or sharded cluster to use this connection option. Your replica set can be a single node or larger.
The In-Use Encryption connection tab allows you to connect your deployments with Queryable Encryption.
Procedure
Click the In-Use Encryption tab.
Provide a Key Vault Namespace.
A Key Vault Namespace refers to a collection that contains all the data keys used for encryption and decryption.
Specify a collection in which data encryption keys are stored in the format
<db>.<collection>
. The non-official default database/collection for keyVault isencryption.__keyVault
.Select a KMS Provider.
You can select from the following Key Management Systems:
KMS Providers
Local KMS
You can locally manage your key as a KMS using the Local KMS option.
Click Generate Random Key to generate a 96-byte long base64-encoded string. You need this key to access encrypted and ecrypted data.
Warning
Compass does not save KMS credentials by default. Copy and save the key in an external location.
AWS
You can use AWS to manage your keys.
Specify the following fields:
Field | Required | Description |
---|---|---|
Access Key Id | Yes | Value of your AWS access key Id. |
Secret Access Key | Yes | Value of your AWS secret key. |
Session Token | No | Value of your AWS session token. |
Certificate Authority | No | One or more certificate files from trusted Certificate
Authorities to validate the certificate provided by the deployment. |
Client Certificate and Key | No | Specifies the location of a local .pem file that contains
either the client's TLS/SSL X.509 certificate or the client's TLS/SSL
certificate and key. |
Client Key Password | No | If the Client Private Key is protected with a password,
you must provide the password. |
GCP
You can use Google Cloud Services to manage your keys.
Specify the following fields:
Field | Required | Description |
---|---|---|
Service Account Email | Yes | The service account email to authenticate. |
Private Key | Yes | A base64-encoded private key. |
Endpoint | No | A host with an optional port. |
Certificate Authority | No | One or more certificate files from trusted Certificate
Authorities to validate the certificate provided by the deployment. |
Client Certificate and Key | No | Specifies the location of a local .pem file that contains
either the client's TLS/SSL X.509 certificate or the client's TLS/SSL
certificate and key. |
Client Key Password | No | If the Client Private Key is protected with a password,
you must provide the password. |
Azure
You can use Azure Key Vault to manage your keys.
Specify the following fields:
Field | Required | Description |
---|---|---|
Tenant Id | Yes | Identifies the organization for the account. |
Client Id | Yes | Authenticates a registered application. |
Client Secret | Yes | The client secret to authenticate a registered application. |
Identity Platform Endpoint | Yes | A host with an optional port. |
Certificate Authority | No | One or more certificate files from trusted Certificate
Authorities to validate the certificate provided by the deployment. |
Client Certificate and Key | No | Specifies the location of a local .pem file that contains
either the client's TLS/SSL X.509 certificate or the client's TLS/SSL
certificate and key. |
Client Key Password | No | If the Client Private Key is protected with a password,
you must provide the password. |
KMIP
You can use KMIP to manage your keys.
Field | Required | Description |
---|---|---|
Endpoint | Yes | The endpoint consists of a hostname and port separated by a colon. |
Certificate Authority | No | One or more certificate files from trusted Certificate
Authorities to validate the certificate provided by the deployment. |
Client Certificate and Key | No | Specifies the location of a local .pem file that contains
either the client's TLS/SSL X.509 certificate or the client's TLS/SSL
certificate and key. |
Client Key Password | No | If the Client Private Key is protected with a password,
you must provide the password. |
(Optional) Specify an EncryptedFieldsMap
:
Add an optional client-side EncryptedFieldsMap
for enhanced security.
For more information, see Fields for Encryption.