Docs Menu
Docs Home
/ / /
PyMongo
/

In-Use Encryption

On this page

  • Overview
  • Queryable Encryption
  • Client-side Field Level Encryption

You can use PyMongo to encrypt specific document fields by using a set of features called in-use encryption. In-use encryption allows your application to encrypt data before sending it to MongoDB and query documents with encrypted fields.

In-use encryption prevents unauthorized users from viewing plaintext data as it is sent to MongoDB or while it is in an encrypted database. To enable in-use encryption in an application and authorize it to decrypt data, you must create encryption keys that only your application can access. Only applications that have access to your encryption keys can access the decrypted, plaintext data. If an attacker gains access to the database, they can only see the encrypted ciphertext data because they lack access to the encryption keys.

You might use in-use encryption to encrypt fields in your MongoDB documents that contain the following types of sensitive data:

  • Credit card numbers

  • Addresses

  • Health information

  • Financial information

  • Any other sensitive or personally identifiable information (PII)

MongoDB offers the following features to enable in-use encryption:

  • Queryable Encryption

  • Client-side Field Level Encryption

Queryable Encryption is the next-generation in-use encryption feature, first introduced as a preview feature in MongoDB Server version 6.0 and as a generally available (GA) feature in MongoDB 7.0. Queryable Encryption supports searching encrypted fields for equality and encrypts each value uniquely.

Important

Preview Feature Incompatible with MongoDB 7.0

The implementation of Queryable Encryption in MongoDB 6.0 is incompatible with the GA version introduced in MongoDB 7.0. The Queryable Encryption preview feature is no longer supported.

To learn more about Queryable Encryption, see Queryable Encryption in the Server manual.

Client-side Field Level Encryption (CSFLE) was introduced in MongoDB Server version 4.2 and supports searching encrypted fields for equality. CSFLE differs from Queryable Encryption in that you can select either a deterministic or random encryption algorithm to encrypt fields. You can only query encrypted fields that use a deterministic encryption algorithm when using CSFLE. When you use a random encryption algorithm to encrypt fields in CSFLE, they can be decrypted, but you cannot perform equality queries on those fields. When you use Queryable Encryption, you cannot specify the encryption algorithm, but you can query all encrypted fields.

When you deterministically encrypt a value, the same input value produces the same output value. While deterministic encryption allows you to perform queries on those encrypted fields, encrypted data with low cardinality is susceptible to code breaking by frequency analysis.

Tip

To learn more about CSFLE, see CSFLE in the Server manual.

Back

Enterprise Authentication