Docs Menu
Docs Home
/
MongoDB Manual
/ / / / /

Install and Configure a CSFLE Library

On this page

  • Before You Begin
  • Steps

MongoDB can use one of two libraries for Client-Side Field Level Encryption (CSFLE). The recommended library is the Automatic Encryption Shared Library.

To use CSFLE with automatic encryption, you must first choose the library you want MongoDB to use to encrypt the fields.

  • crypt_shared, the recommended CSFLE library.

  • mongocryptd, which is included in MongoDB Enterprise Server installations.

Both require the libmongocrypt library. For more information, see Install libmongocrypt for CSFLE.

The Automatic Encryption Shared Library is a dynamic library that enables your client application to perform automatic encryption. A dynamic library is a set of functionality accessed by an application at runtime rather than compile time. The Automatic Encryption Shared Library performs the following tasks:

  • Reads the encryption schema to determine which fields to encrypt or decrypt

  • Prevents your application from executing unsupported operations on encrypted fields

The Automatic Encryption Shared Library does not do any of the following:

  • Perform data encryption or decryption

  • Access the encryption key material

  • Listen for data over the network

The Automatic Encryption Shared Library is a preferred alternative to mongocryptd and does not require you to spawn another process to perform automatic encryption.

Note

While we recommend using the Automatic Encryption Shared Library, mongocryptd is still supported.

To learn more about automatic encryption, see Features.

mongocryptd is installed with MongoDB Enterprise Server.

When you create a CSFLE-enabled MongoDB client, the mongocryptd process starts automatically by default.

The mongocryptd process:

  • Uses the specified automatic encryption rules to mark fields in read and write operations for encryption.

  • Prevents unsupported operations from executing on encrypted fields.

  • Parses the encryption schema specified for the database connection. Automatic encryption rules use a strict subset of JSON schema syntax. If the rules contain invalid automatic encryption syntax or any document validation syntax, mongocryptd returns an error.

mongocryptd only performs the previous functions, and doesn't perform any of the following:

  • mongocryptd doesn't perform encryption or decryption

  • mongocryptd doesn't access any encryption key material

  • mongocryptd doesn't listen over the network

To perform field encryption and automatic decryption, the drivers use the Apache-licensed libmongocrypt library.

The official MongoDB drivers require access to the mongocryptd process on the client host machine. These clients search for the mongocryptd process in the system PATH by default.

1

Download the Automatic Encryption Shared Library from the MongoDB Download Center by selecting the version and platform, then the library:

  1. In the Version dropdown, select the version labeled as "current."

  2. In the Platform dropdown, select your platform.

  3. In the Package dropdown, select crypt_shared.

  4. Click Download.

Tip

To view an expanded list of available releases and packages, see MongoDB Enterprise Downloads.

2

You can configure how your driver searches for the Automatic Encryption Shared Library through the following parameters:

Name
Description

cryptSharedLibPath

Specifies the absolute path to the Automatic Encryption Shared Library package, crypt_shared.

Default: undefined

cryptSharedLibRequired

Specifies if the driver must use the Automatic Encryption Shared Library. If true, the driver raises an error if the Automatic Encryption Shared Library is unavailable. If false, the driver performs the following sequence of actions:

  1. Attempts to use the Automatic Encryption Shared Library.

  2. If the Automatic Encryption Shared Library is unavailable, the driver attempts to spawn and connect to mongocryptd.

Default: false

To view an example demonstrating how to configure these parameters, see the Quick Start.

1

For supported Linux Operating Systems: To install the Server package, follow the install on Linux tutorial and install the mongodb-enterprise server package. Alternatively, specify mongodb-enterprise-cryptd instead to install only the mongocryptd binary. The package manager installs the binaries to a location in the system PATH.

For OSX: To install the Server package, follow the install on MacOS tutorial. The package manager installs binaries to a location in the system PATH.

For Windows: To install the Server package, follow the install on Windows tutorial. You must add the mongocryptd package to your system PATH after installation. Follow the documented best practices for your Windows installation to add the mongocryptd binary to the system PATH.

To install from an official tarball / ZIP archive: To install from an official archive, follow the documented best practices for your operating system to add the mongocryptd binary to your system PATH.

2

If the driver has access to the mongocryptd process, it spawns the process by default.

Important

Start on Boot

If possible, start mongocryptd on boot, rather than launching it on demand.

Configure how the driver starts mongocryptd through the following parameters:

Name
Description

port

The port from which mongocryptd listens for messages.
Default: 27020

idleShutdownTimeoutSecs

Number of idle seconds the mongocryptd process waits before exiting.
Default: 60

mongocryptdURI

The URI on which to run the mongocryptd process.
Default: "mongodb://localhost:27020"

mongocryptdBypassSpawn

When true, prevents the driver from automatically spawning mongocryptd.
Default: false

mongocryptdSpawnPath

The full path to mongocryptd.
Default: Defaults to empty string and spawns from the system path.

If a mongocryptd process is already running on the port specified by the driver, the driver may log a warning and continue without spawning a new process. Any settings specified by the driver only apply once the existing process exits and a new encrypted client attempts to connect.

To view examples of how to configure your mongocryptd process, click the tab corresponding to the driver you are using in your application:

The following code-snippet sets the listening port configuration of mongocryptd:

var extraOptions = new Dictionary<string, object>()
{
{ "mongocryptdSpawnArgs", new [] { "--port=30000" } },
};
autoEncryptionOptions.With(extraOptions: extraOptions);

The following code-snippet sets the default timeout configuration of mongocryptd:

var extraOptions = new Dictionary<string, object>()
{
{ "idleShutdownTimeoutSecs", 60 },
};
autoEncryptionOptions.With(extraOptions: extraOptions);

The following code-snippet sets the listening port configuration of mongocryptd:

extraOptions := map[string]interface{}{
"mongocryptdSpawnArgs": []string{
"--port=30000",
},
}

The following code-snippet sets the default timeout configuration of mongocryptd:

extraOptions := map[string]interface{}{
"mongocryptdSpawnArgs": []string{
"--idleShutdownTimeoutSecs=75",
},
}

The following code-snippet sets the listening port configuration of mongocryptd:

List<String> spawnArgs = new ArrayList<String>();
spawnArgs.add("--port=30000");
Map<String, Object> extraOpts = new HashMap<String, Object>();
extraOpts.put("mongocryptdSpawnArgs", spawnArgs);
AutoEncryptionSettings autoEncryptionSettings = AutoEncryptionSettings.builder()
...
.extraOptions(extraOpts);

The following code-snippet sets the default timeout configuration of mongocryptd:

List<String> spawnArgs = new ArrayList<String>();
spawnArgs.add("--idleShutdownTimeoutSecs")
.add("60");
Map<String, Object> extraOpts = new HashMap<String, Object>();
extraOpts.put("mongocryptdSpawnArgs", spawnArgs);
AutoEncryptionSettings autoEncryptionSettings = AutoEncryptionSettings.builder()
...
.extraOptions(extraOpts);

The following code-snippet sets the listening port configuration of mongocryptd:

autoEncryption: {
...
extraOptions: {
mongocryptdSpawnArgs: ["--port", "30000"],
mongocryptdURI: 'mongodb://localhost:30000',
}

Note

In the NodeJS driver, the mongocryptdURI must match the listening port.

The following code-snippet sets the default timeout configuration of mongocryptd:

autoEncryption: {
...
extraOptions: {
mongocryptdSpawnArgs: ["--idleShutdownTimeoutSecs", "75"]
}

The following code-snippet sets the listening port configuration of mongocryptd:

auto_encryption_opts = AutoEncryptionOpts(mongocryptd_spawn_args=['--port=30000'])

The following code-snippet sets the default timeout configuration of mongocryptd:

auto_encryption_opts = AutoEncryptionOpts(mongocryptd_spawn_args=['--idleShutdownTimeoutSecs=75'])

Back

Cryptography