In-Use Encryption Tutorial

On this page

Overview

Requirements and Limitations
Create Your Encrypted Collection
Import Your Data
Enable and Disable In-Use Encryption

Queryable Encryption with equality queries is generally available (GA) in MongoDB 7.0 and later. The Queryable Encryption Public Preview, released in version 6.0, is no longer supported. Data encrypted using the Public Preview is incompatible with the feature release. For more information, see Compatibility Changes in MongoDB 7.0.

In-Use Encryption allows you to connect to your deployments using Queryable Encryption. This connection method allows you to encrypt a subset of fields in your collections.

You can also use CSFLE to encrypt a subset of fields in your collection. CSFLE encryption is enabled through the schema editor.

Overview

This guide shows you how to connect to your deployment and collections using Queryable Encryption.

This guide uses the air_airlines.json data set in the guided examples. The guide covers the process of importing your data set.

Requirements and Limitations

In-Use Encryption is an Enterprise/Atlas only feature.
You need a replica set to use this connection option. Your replica set can be a single node or larger.
You need to connect to your deployment on Compass using In-Use Encryption. For more information on how to connect to your deployment, see In-Use Encryption Connection tab.

Create Your Encrypted Collection

Once your deployment is connected using In-Use Encryption, create your collection using Queryable Encryption. You can create a new database and collection or you can create a new collection in an existing database.

Queryable Encryption supports new collections only. You can't enable Queryable Encryption on existing collections.

Procedure

Click the Create a Database button or the Create a Collection button.

Enter the name of the database and/or collection.

Click the Additional preferences drop down.

Check the Queryable Encryption box.

Specify your Encrypted Fields.

Change the path field value from encryptedField to the name of the field you want encrypted.

click to enlarge

Here, the encrypted field is the base field of the air_airlines data set.

For more information, see Encrypted Fields.

(Optional) Specify KMS Provider.

(Optional) Specify Key Encryption Key.

Click Create Database or Create Collection.

Import Your Data

Click on your collection on the left-hand navigation banner.

The collection has a Queryable Encryption badge next to its name to indicate that fields in that collection are encrypted.

Click Add Data.

Click Import File.

Select File and Input File Type.

Click Import.

Your imported collection is displayed in the document view. The specified encrypted field is marked by a key symbol next to the value.

click to enlarge

Here, the base field is marked with the key symbol.

Enable and Disable In-Use Encryption

You can enable and disable In-Use Encryption in your deployment.

When In-Use Encryption is enabled:

You can modify encrypted values.
You can insert documents and specified fields will be encrypted.

When In-Use Encryption is disabled:

You cannot modify encrypted values. Compass displays the values of these fields as a series of asterisks.
Inserted documents can not encrypt fields.

Disable In-Use Encryption

To disable In-Use Encryption:

Click on In-Use Encryption on left-hand navigation bar.

click to enlarge

Click the Enable In-Use Encryption for this connection toggle.

Disabling In-Use Encryption only affects how Compass accesses your data.

Back

Sampling

Import & Export Data