Encryption Components
On this page
Diagram
The following diagram illustrates the relationships between a MongoDB
driver or mongosh and each component of Client-Side Field Level Encryption
(CSFLE):
Components
The following sections discuss the individual components of the preceding diagram.
libmongocrypt
libmongocrypt is the Apache-licensed open-source core cryptography
library used by the official MongoDB 4.2+ compatible drivers and
mongosh to power Client-Side Field Level Encryption.
Some drivers may require specific integration steps to install or link
the library.
To view steps for installing libmongocrypt,
see the libmongocrypt reference page.
mongocryptd
mongocryptd supports automatic encryption and is only available
with MongoDB Enterprise. mongocryptd does not perform
cryptographic functions.
To learn more about mongocryptd, see
Install and Configure mongocryptd.
Key Vault collection
The Key Vault collection is a standard MongoDB collection that stores all Data Encryption Keys used to encrypt application data. Data Encryption Keys are themselves encrypted using a Customer Master Key (CMK) prior to storage in the Key Vault collection. You can host your Key Vault collection on a different MongoDB cluster than the cluster storing your encrypted application data.
To learn more about the Key Vault collection, see Keys and Key Vaults.
Key Management System
The Key Management System (KMS) stores the Customer Master Key (CMK) used to encrypt Data Encryption Keys.
To view a list of all KMS providers MongoDB supports, see KMS Providers.
MongoDB Cluster
The MongoDB cluster which stores the encrypted data may also enforce Client-Side Field Level Encryption. For more information on server-side schema enforcement, see Server-Side Schema Enforcement.