In-Use Encryption
Overview
You can use the Java driver to encrypt specific document fields by using a set of features called in-use encryption. In-use encryption allows your application to encrypt data before sending it to MongoDB and query documents with encrypted fields.
Important
Compatible Encryption Library Version
The Java driver uses the mongodb-crypt
encryption library for in-use encryption. This driver version
is compatible with mongodb-crypt v5.2.0.
Select from the following Maven and
Gradle tabs to see how to add the mongodb-crypt
dependency to your project by using the specified manager:
<dependencies> <dependency> <groupId>org.mongodb</groupId> <artifactId>mongodb-crypt</artifactId> <version>5.2.0</version> </dependency> </dependencies>
dependencies { implementation 'org.mongodb:mongodb-crypt:5.2.0' }
In-use encryption prevents unauthorized users from viewing plaintext data as it is sent to MongoDB or while it is in an encrypted database. To enable in-use encryption in an application and authorize it to decrypt data, you must create encryption keys that only your application can access. Only applications that have access to your encryption keys can access the decrypted, plaintext data. If an attacker gains access to the database, they can only see the encrypted ciphertext data because they lack access to the encryption keys.
You might use in-use encryption to encrypt fields in your MongoDB documents that contain the following types of sensitive data:
Credit card numbers
Addresses
Health information
Financial information
Any other sensitive or personally identifiable information (PII)
MongoDB offers the following features to enable in-use encryption:
Queryable Encryption
Queryable Encryption is the next-generation in-use encryption feature, first introduced as a preview feature in MongoDB Server version 6.0 and as a generally available (GA) feature in MongoDB 7.0. Queryable Encryption supports searching encrypted fields for equality and encrypts each value uniquely.
Important
Preview Feature Incompatible with MongoDB 7.0
The implementation of Queryable Encryption in MongoDB 6.0 is incompatible with the GA version introduced in MongoDB 7.0. The Queryable Encryption preview feature is no longer supported.
To learn more about Queryable Encryption, see Queryable Encryption in the Server manual.
Client-side Field Level Encryption
Client-side Field Level Encryption (CSFLE) was introduced in MongoDB Server version 4.2 and supports searching encrypted fields for equality. CSFLE differs from Queryable Encryption in that you can select either a deterministic or random encryption algorithm to encrypt fields. You can only query encrypted fields that use a deterministic encryption algorithm when using CSFLE. When you use a random encryption algorithm to encrypt fields in CSFLE, they can be decrypted, but you cannot perform equality queries on those fields. When you use Queryable Encryption, you cannot specify the encryption algorithm, but you can query all encrypted fields.
When you deterministically encrypt a value, the same input value produces the same output value. While deterministic encryption allows you to perform queries on those encrypted fields, encrypted data with low cardinality is susceptible to code breaking by frequency analysis.
Tip
To learn more about these concepts, see the following Wikipedia entries:
To learn more about CSFLE, see CSFLE in the Server manual.