CSFLE Encryption Components
On this page
Diagram
The following diagram illustrates the relationships between a MongoDB
driver or mongosh
and each component of Client-Side Field Level Encryption
(CSFLE):
Components
The following sections discuss the individual components of the preceding diagram.
libmongocrypt
libmongocrypt
is the Apache-licensed open-source core cryptography
library used by the official MongoDB 4.2+ compatible drivers and
mongosh
to power Client-Side Field Level Encryption.
Some drivers may require specific integration steps to install or link
the library.
To view steps for installing libmongocrypt
,
see the libmongocrypt reference page.
mongocryptd
mongocryptd
supports automatic encryption and is only available
with MongoDB Enterprise. mongocryptd
does not perform
cryptographic functions.
To learn more about mongocryptd
, see
Install and Configure mongocryptd for CSFLE.
Key Vault collection
The Key Vault collection is a standard MongoDB collection that stores all Data Encryption Keys used to encrypt application data. Data Encryption Keys are themselves encrypted using a Customer Master Key (CMK) prior to storage in the Key Vault collection. You can host your Key Vault collection on a different MongoDB cluster than the cluster storing your encrypted application data.
To learn more about the Key Vault collection, see Keys and Key Vaults.
Key Management System
The Key Management System (KMS) stores the Customer Master Key (CMK) used to encrypt Data Encryption Keys.
To view a list of all KMS providers MongoDB supports, see CSFLE KMS Providers.
MongoDB Cluster
The MongoDB cluster which stores the encrypted data may also enforce Client-Side Field Level Encryption. For more information on server-side schema enforcement, see CSFLE Server-Side Schema Enforcement.