Create an Encryption Schema
On this page
About this Task
To make encrypted fields queryable, create an encryption schema. This schema defines which fields are queryable, and which query types are permitted. For more information, see Encrypted Fields and Enabled Queries.
Important
Queryable Encryption supports equality and range queries. You can configure a field for only one query type.
Before you Begin
When you make encrypted fields queryable, there are performance and security considerations to take into account. For details on how each configuration option affects these, see Configure Encrypted Fields for Optimal Search and Storage.
Steps
Specify fields to encrypt.
Add the
path
andbsonType
strings to thefields
array:const encryptedFieldsObject = { fields: [ { path: "myDocumentField", bsonType: "int" } ] } Important
You can specify any field for encryption except the
_id
field.If you are using explicit encryption, add a
keyId
field with the DEK{ path: "myDocumentField", bsonType: "int", keyId: "<unique data encryption key>" } Tip
With Automatic Encryption, MongoDB creates encryption keys for each field. You configure
AutoEncryptionSettings
on the client, then use thecreateEncryptedCollection
helper method to create your collections.
Enable equality queries on desired fields.
This enables querying with the $eq
, $ne
, $in
,
and $nin
operators.
Add the
queries
object and setqueryType
to"equality"
:{ path: "myDocumentField", bsonType: "int", queries: { queryType: "equality" } } (Optional) Set contention to favor either find performance, or write and update performance.
If unset, this defaults to
8
.{ path: "myDocumentField", bsonType: "int", queries: { queryType: "equality", contention: 8 } }
Enable range queries on desired fields.
This enables querying with the $lt
, $lte
, $gt
, and $gte
operators.
For details on how the following options affect security and performance, see Configure Encrypted Fields for Optimal Search and Storage.
Add the
queries
object and setqueryType
to"range"
:{ path: "myDocumentRangeField", bsonType: "int", queries: { queryType: "range" } } Set the following fields:
FieldTypeDescriptionInteger from 1-4Optional. Defaults to 2. Affects how thoroughly MongoDB indexes range values. Low sparsity (dense indexing) improves query performance at the cost of storage space.Same as fieldbsonType
Required if
bsonType
isdecimal
ordouble
. Optional but highly recommended if it isint
,long
, ordate
. Defaults to the minimum and maximum values of thebsonType
. When possible, specifying bounds on a query improves performance. If querying values outside of these inclusive bounds, MongoDB returns an error.This parameter only affects queries. The encrypted value is still stored with full precision.
IntegerOptional but highly recommended. Allowed only ifbsonType
isdecimal
ordouble
. Sets how many digits are taken into account when querying the field.IntegerOptional. Defaults to 6. A lowtrimFactor
causes MongoDB to store more documents in the metadata collections for eachinsert
orupdate
operation. This improvesinsert
andupdate
times at the cost of slowing down some range operations . A hightrimFactor
does the opposite.Integer.Optional. Defaults to 8. Set to favor either find performance, or write and update performance.{ path: "myDocumentRangeField", bsonType: "int", queries: { queryType: "range", sparsity: 1, min: 0, max: 1200, trimFactor: 1, contention: 7 } }
Example
This example shows how to create an encryption schema for hospital data.
Consider the following document that contains personally identifiable information (PII), credit card information, and sensitive medical information:
{ "firstName": "Jon", "lastName": "Snow", "patientId": 12345187, "address": "123 Cherry Ave", "medications": [ "Adderall", "Lipitor" ], "patientInfo": { "ssn": "921-12-1234", "billing": { "type": "visa", "number": "1234-1234-1234-1234" } } }
To ensure the PII and sensitive medical information stays secure, this encryption schema adds the relevant fields:
const encryptedFieldsObject = { fields: [ { path: "patientId", bsonType: "int" }, { path: "patientInfo.ssn", bsonType: "string" }, { path: "medications", bsonType: "array" }, { path: "patientInfo.billing", bsonType: "object" } ] }
Adding the queries
property makes the patientId
and
patientInfo.ssn
fields queryable. This example enables equality queries:
const encryptedFieldsObject = { fields: [ { path: "patientId", bsonType: "int", queries: { queryType: "equality" } }, { path: "patientInfo.ssn", bsonType: "string", queries: { queryType: "equality" } }, { path: "medications", bsonType: "array" }, { path: "patientInfo.billing", bsonType: "object" }, ] }
The example below sets contention
to 0 for the low cardinality
Social Security Number (SSN) and patient ID fields, since these are
unique identifiers that shouldn't repeat in the data set.
const encryptedFieldsObject = { fields: [ { path: "patientId", bsonType: "int", queries: { queryType: "equality", contention: "8"} }, { path: "patientInfo.ssn", bsonType: "string", queries: { queryType: "equality", contention: "8"} }, { path: "medications", bsonType: "array" }, { path: "patientInfo.billing", bsonType: "object" } ] }