Enabling Queryable Encryption when Creating Collections
Overview
Enable Queryable Encryption at collection creation. You can't encrypt fields on
documents that are already in a collection. If you have existing data
that needs encryption, consider explicitly creating a new collection and
then using the $out
aggregation stage to move documents into it.
Important
Explicitly create your collection, rather than creating it implicitly
with an insert operation. When you create a collection using
createCollection()
, MongoDB creates an index on the encrypted
fields. Without this index, queries on encrypted fields may run
slowly.
Enable Queryable Encryption on a Collection
You can enable Queryable Encryption on fields in one of two ways. The following examples use Node.js to enable Queryable Encryption:
Pass the encryption schema, represented by the
encryptedFieldsObject
constant, to the client that the application uses to create the collection:const client = new MongoClient(uri, { autoEncryption: { keyVaultNameSpace: "<your keyvault namespace>", kmsProviders: "<your kms provider>", extraOptions: { cryptSharedLibPath: "<path to Automatic Encryption Shared Library>" }, encryptedFieldsMap: { "<databaseName.collectionName>": { encryptedFieldsObject } } } ... await client.db("<database name>").createCollection("<collection name>"); } For more information on
autoEncryption
configuration options, see the section on MongoClient Options for Queryable Encryption.Pass the encryption schema
encryptedFieldsObject
tocreateCollection()
:await encryptedDB.createCollection("<collection name>", { encryptedFields: encryptedFieldsObject }); Tip
Specify the
encryptedFieldsObject
when you create the collection, and also when you create a client to access the collection. This ensures that if the server's security is compromised, the information is still encrypted through the client.