Create an Encryption Schema

On this page

About this Task

Steps
Create a JSON encryption schema document.
Specify encryption parameters for each field you want to encrypt.
Example

Queryable Encryption with equality queries is generally available (GA) in MongoDB 7.0 and later. The Queryable Encryption Public Preview, released in version 6.0, is no longer supported. Data encrypted using the Public Preview is incompatible with the feature release. For more information, see Compatibility Changes in MongoDB 7.0.

About this Task

To make encrypted fields queryable, create an encryption schema. This schema defines which fields are queryable, and which query types are permitted. For more information, see Encrypted Fields and Enabled Queries.

Steps

Create a JSON encryption schema document.

Include an encryptedFieldsObject with a nested fields array:

const encryptedFieldsObject = {
   fields: []
}

Specify encryption parameters for each field you want to encrypt.

Add the path and bsonType strings to the fields array:

const encryptedFieldsObject = {
   fields: [
      {
         path: "myDocumentField",
         bsonType: "int"
      }
   ]
}

Important

You can specify any field for encryption except the _id field.

If you are using explicit encryption, add a keyId field with the DEK ID.
```
{
   path: "myDocumentField",
   bsonType: "int",
   keyId: "<unique data encryption key>"
}
```
Tip
With Automatic Encryption, MongoDB creates encryption keys for each field. You configure AutoEncryptionSettings on the client, then use the createEncryptedCollection helper method to create your collections.
If you want a field to be queryable, add the queries property and list allowed queryTypes.
Queryable Encryption currently supports equality queries only.
```
{
   path: "myDocumentField",
   bsonType: "int",
   queries: { queryType: "equality" }
}
```
(Optional) Include the contention property on queryable fields to favor either find performance, or write and update performance:
```
{
   path: "myDocumentField",
   bsonType: "int",
   queries: { queryType: "equality",
              contention: "0"}
}
```
For more information, see contention.

Example

This example shows how to create an encryption schema for hospital data.

Consider the following document that contains personally identifiable information (PII), credit card information, and sensitive medical information:

{
   "firstName": "Jon",
   "lastName": "Snow",
   "patientId": 12345187,
   "address": "123 Cherry Ave",
   "medications": [
      "Adderall",
      "Lipitor"
   ],
   "patientInfo": {
      "ssn": "921-12-1234",
      "billing": {
            "type": "visa",
            "number": "1234-1234-1234-1234"
      }
   }
}

To ensure the PII and sensitive medical information stays secure, this encryption schema adds the relevant fields:

const encryptedFieldsObject = {
   fields: [
      {
         path: "patientId",
         bsonType: "int"
      },
      {
         path: "patientInfo.ssn",
         bsonType: "string"
      },
      {
         path: "medications",
         bsonType: "array"
      },
      {
         path: "patientInfo.billing",
         bsonType: "object"
      }
   ]
}

Adding the queries property makes the patientId and patientInfo.ssn fields queryable. This example enables equality queries:

const encryptedFieldsObject = {
   fields: [
      {
         path: "patientId",
         bsonType: "int",
         queries: { queryType: "equality" }
      },
      {
         path: "patientInfo.ssn",
         bsonType: "string",
         queries: { queryType: "equality" }
      },
      {
         path: "medications",
         bsonType: "array"
      },
      {
         path: "patientInfo.billing",
         bsonType: "object"
      },
   ]
}

Back

Fields & Queries

Encrypt Collections at Creation