Docs Menu
Docs Home
/
MongoDB Compass
/ /

In-Use Encryption Connection Tab

On this page

  • Procedure

In-Use Encryption is an Enterprise/Atlas only feature. You need a replica set or sharded cluster to use this connection option. Your replica set can be a single node or larger.

The In-Use Encryption connection tab allows you to connect your deployments with Queryable Encryption.

1

In the bottom panel of the Connections Sidebar, click Add New Connection to open the New Connection modal.

If you already have connections listed in the Connections Sidebar, click the icon on the top right of the sidebar to open the New Connection modal.

2
New Advanced Connection Options
click to enlarge
3
  1. Provide a Key Vault Namespace.

    A Key Vault Namespace refers to a collection that contains all the data keys used for encryption and decryption.

    Specify a collection in which data encryption keys are stored in the format <db>.<collection>. The non-official default database/collection for keyVault is encryption.__keyVault.

  2. Select a KMS Provider.

    You can select from the following Key Management Systems:

4

You can locally manage your key as a KMS using the Local KMS option.

Click Generate Random Key to generate a 96-byte long base64-encoded string. You need this key to access encrypted and ecrypted data.

Warning

Compass does not save KMS credentials by default. Copy and save the key in an external location.

You can use AWS to manage your keys.

Specify the following fields:

Field
Required
Description
Access Key Id
Yes
Value of your AWS access key Id.
Secret Access Key
Yes
Value of your AWS secret key.
Session Token
No
Value of your AWS session token.
Certificate Authority
No
One or more certificate files from trusted Certificate Authorities to validate the certificate provided by the deployment.
Client Certificate and Key
No
Specifies the location of a local .pem file that contains either the client's TLS/SSL X.509 certificate or the client's TLS/SSL certificate and key.
Client Key Password
No
If the Client Private Key is protected with a password, you must provide the password.

You can use Google Cloud Services to manage your keys.

Specify the following fields:

Field
Required
Description
Service Account Email
Yes
The service account email to authenticate.
Private Key
Yes
A base64-encoded private key.
Endpoint
No
A host with an optional port.
Certificate Authority
No
One or more certificate files from trusted Certificate Authorities to validate the certificate provided by the deployment.
Client Certificate and Key
No
Specifies the location of a local .pem file that contains either the client's TLS/SSL X.509 certificate or the client's TLS/SSL certificate and key.
Client Key Password
No
If the Client Private Key is protected with a password, you must provide the password.

You can use Azure Key Vault to manage your keys.

Specify the following fields:

Field
Required
Description
Tenant Id
Yes
Identifies the organization for the account.
Client Id
Yes
Authenticates a registered application.
Client Secret
Yes
The client secret to authenticate a registered application.
Identity Platform Endpoint
Yes
A host with an optional port.
Certificate Authority
No
One or more certificate files from trusted Certificate Authorities to validate the certificate provided by the deployment.
Client Certificate and Key
No
Specifies the location of a local .pem file that contains either the client's TLS/SSL X.509 certificate or the client's TLS/SSL certificate and key.
Client Key Password
No
If the Client Private Key is protected with a password, you must provide the password.

You can use KMIP to manage your keys.

Field
Required
Description
Endpoint
Yes
The endpoint consists of a hostname and port separated by a colon.
Certificate Authority
No
One or more certificate files from trusted Certificate Authorities to validate the certificate provided by the deployment.
Client Certificate and Key
No
Specifies the location of a local .pem file that contains either the client's TLS/SSL X.509 certificate or the client's TLS/SSL certificate and key.
Client Key Password
No
If the Client Private Key is protected with a password, you must provide the password.

Add an optional client-side EncryptedFieldsMap for enhanced security. For more information, see Fields for Encryption.

Back

Proxy/SSH

On this page