Queryable Encryption (original) (raw)
Queryable Encryption gives you the ability to perform the following tasks:
- Encrypt sensitive data fields from the client-side.
- Store sensitive data fields as fully randomized encrypted data on the database server-side.
- Run expressive queries on the encrypted data.
These tasks are all completed without the server having knowledge of the data it's processing.
Sensitive data is encrypted throughout its lifecycle - in-transit, at-rest, in-use, in logs, and backups - and only ever decrypted on the client-side, since only you have access to the encryption keys.
Queryable Encryption introduces an industry-first fast, searchable encryption scheme developed by the pioneers in encrypted search. The feature supports equality and range searches, with additional query types such as prefix, suffix, and substring planned for future releases.
You can set up Queryable Encryption using the following mechanisms:
- Automatic Encryption: Enables you to perform encrypted read and write operations without you having to write code to specify how to encrypt fields.
- Explicit Encryption: Enables you to perform encrypted read and write operations through your MongoDB driver's encryption library. You must specify the logic for encryption with this library throughout your application.
When implementing an application that uses Queryable Encryption, consider the points listed in Security Considerations.
For other limitations, see Queryable Encryption limitations.
The following table shows which MongoDB server products support which Queryable Encryption mechanisms:
| Product Name | Supports Automatic Encryption | Supports Explicit Encryption |
|---|---|---|
| MongoDB Atlas | Yes | Yes |
| MongoDB Enterprise Advanced | Yes | Yes |
| MongoDB Community Edition | No | Yes |
To learn which MongoDB drivers support Queryable Encryption, seeQueryable Encryption Compatibility.
To learn about the security benefits of Queryable Encryption for your applications, see the Features page.
To learn what you must install to use Queryable Encryption, see the Installation Requirements page.
To start using Queryable Encryption, see the Quick Start.
To learn how Queryable Encryption works and how to set it up, see theFundamentals section.
The fundamentals section contains the following pages:
- Field Encryption and Queryability
- Encrypted Collection Management
- Keys and Key Vaults
- Encryption Key Management
- KMS Providers
To learn how to perform specific tasks with Queryable Encryption, see theTutorials section.
To view information to help you develop your Queryable Encryption enabled applications, see the Reference section.
The reference section contains the following pages:
- Queryable Encryption Compatibility
- Queryable Encryption Limitations
- Supported Operations for Queryable Encryption
- MongoClient Options for Queryable Encryption
- Automatic Encryption Shared Library for Queryable Encryption
- Install libmongocrypt
- Install and Configure mongocryptd for Queryable Encryption