MongoClient Options for Queryable Encryption

On this page

Overview

AutoEncryptionOpts
Example

Queryable Encryption with equality queries is generally available (GA) in MongoDB 7.0. If you are starting out with Queryable Encryption, upgrade MongoDB to version 7.0 with compatible drivers. Data encrypted using the QE Public Preview is incompatible with the GA. For more information, see the MongoDB 7.0 compatibility notes.

Overview

View information about the Queryable Encryption specific configuration options for MongoClient instances.

AutoEncryptionOpts

Pass an AutoEncryptionOpts object to your MongoClient instance to specify Queryable Encryption specific options.

The following table describes the structure of an AutoEncryptionOpts object:

Parameter	Type	Required	Description
`keyVaultClient`	`MongoClient`	No	A `MongoClient` instance configured to connect to the MongoDB instance hosting your Key Vault collection. If you omit the `keyVaultClient` option, the MongoDB instance specified to your `MongoClient` instance containing the `AutoEncryptionOpts` configuration is used as the host of your Key Vault collection. To learn more about Key Vault collections, see Key Vault Collections.
`keyVaultNamespace`	String	Yes	The full namespace of the Key Vault collection.
`kmsProviders`	Object	Yes	The Key Management System (KMS) used by Queryable Encryption for managing your Customer Master Keys (CMKs). To learn more about `kmsProviders` objects, see KMS Providers. To learn more about Customer Master Keys, see Keys and Key Vaults.
`encryptedFieldsMap`	Object	No	An encryption schema. To learn how to construct an encryption schema, see Field Encryption and Queryability.
`bypassQueryAnalysis`	Boolean	No	Disables automatic analysis of outgoing commands. Set `bypassQueryAnalysis` to `true` to use explicit encryption on indexed fields without the `crypt_shared` library. Defaults to `false` if not specified.

Example

To view a code-snippet demonstrating how to use AutoEncryptionOpts to configure your MongoClient instance, select the tab corresponding to your driver:

var AutoEncryptionOpts =
{
   "keyVaultClient" : keyVaultClient,
   "keyVaultNamespace" : "<database>.<collection>",
   "kmsProviders" : { ... },
   "bypassQueryAnalysis": "<boolean value>", // optional - defaults to false
   "encryptedFieldsMap" : { ... }
}
cluster = Mongo(
  "mongodb://myhostexample.net:27017/?replicaSet=myReplicaSet",
  AutoEncryptionOpts
);

Tip

Environment Variables

If possible, consider defining the credentials provided in kmsProviders as environment variables, and then passing them to mongosh using the --eval option. This minimizes the chances of credentials leaking into logs.

const secureClient = new MongoClient(connectionString, {
  useNewUrlParser: true,
  useUnifiedTopology: true,
  monitorCommands: true,
  autoEncryption: {
    keyVaultNamespace,
    kmsProviders,
    bypassQueryAnalysis, // optional - defaults to false
    encryptedFieldsMap: patientSchema,
    extraOptions: extraOptions,
  },
});

To learn about additional options for configuring Automatic Encryption Shared Library, see Configuration.

Back

Supported Operations for Queryable Encryption

Automatic Encryption Shared Library