Encrypt Fields

On this page

Overview

Queryable Encryption
Client-side Field Level Encryption

Overview

You can encrypt fields in a document using a set of features called in-use encryption.

In-use encryption enables your client applications to encrypt data before sending it to MongoDB, and to query documents with encrypted fields.

Because the driver encrypts the data before sending it to MongoDB, only your configured client applications can decrypt the data. Only applications using the driver with access to your encryption keys can access the decrypted, plaintext data. Should you have unauthorized access to your database, an attacker could only see the encrypted, ciphertext data.

In-use encryption can help prevent exposure of the following sensitive types of data:

Credit card numbers
Addresses
Health information
Financial information
Any other sensitive or personally identifiable information (PII)

MongoDB offers the following ways to encrypt fields:

Queryable Encryption

Queryable Encryption is the next-generation in-use encryption feature, introduced in MongoDB 6.0 and available as a public preview. Queryable Encryption supports searching encrypted fields for equality and encrypts each value uniquely.

The MongoDB manual contains detailed information on the following Queryable Encryption topics:

To get started, see the Queryable Encryption Quick Start.
To learn how to use Queryable Encryption, see the Queryable Encryption Fundamentals.
To learn how to integrate your implementation with a Key Management System, see the Queryable Encryption Tutorials.
To learn Queryable Encryption concepts, see the Queryable Encryption Reference.

Client-side Field Level Encryption

Client-side Field Level Encryption was introduced in MongoDB version v4.2 and supports searching encrypted fields for equality. CSFLE differs from Queryable Encryption in that it requires that the encrypted fields you want to search must be determinstically encrypted. When you deterministically encrypt a value, the same input value produces the same output value. While deterministic encryption provides greater support for read operations, encrypted data with low cardinality is susceptible to recovery using frequency analysis.

The MongoDB manual contains detailed information on the following CSFLE topics:

To get started, see the CSFLE Quick Start.
To learn how to use CSFLE, see the CSFLE Fundamentals.
To learn how to integrate your CSFLE implementation with a Key Management System, see the CSFLE Tutorials.
To learn CSFLE concepts, see the CSFLE Reference.

← Time Series Collections Work with Geospatial Data →

Encrypt Fields.css-134mg1q{-webkit-align-self:center;-ms-flex-item-align:center;align-self:center;padding:0 10px;visibility:hidden;}.css-6vrlzm{border-radius:0!important;display:initial!important;margin:initial!important;}.css-1l4s55v{margin-top:-175px;position:absolute;padding-bottom:2px;}

Overview

Queryable Encryption

Client-side Field Level Encryption

Encrypt Fields