EventGet 50% off your ticket to MongoDB.local NYC on May 2. Use code Web50! Learn more >

MONGODB SECURITY

MongoDB Data Encryption

MongoDB offers robust encryption features to protect data while in-transit, at-rest, and in-use — providing encryption of your data through its full lifecycle.

Get Started

MongoDB Security Hub

Encryption in-transit

MongoDB Enterprise Advanced supports encryption in-transit using Transport Layer Security (TLS).

In Atlas, all network traffic to MongoDB clusters is protected by TLS by default. TLS cannot be disabled and the default version is TLS v1.2. Data that is transmitted to MongoDB clusters, as well as data transmitted between nodes of your MongoDB clusters, is encrypted in-transit using TLS.

Learn more about Encryption In-Transit →

Encryption at-rest

Encryption at-rest is a database-level protection layer to guarantee that the written files and data are encrypted while stored. MongoDB Enterprise Advanced (EA) has implemented the at-rest encryption in WiredTiger, the database storage engine, using AES-256. You can configure at-rest encryption in MongoDB EA with a KMIP-enabled key provider.

In Atlas, customer data is encrypted at-rest by default using AES-256 to secure all volume (disk) data. The process is automated by the transparent disk encryption of your selected cloud provider, and the cloud provider fully manages the encryption keys. You may also choose to enable database-level encryption, which allows you to bring your own encryption keys in AWS Key Management Service (KMS), Google Cloud KMS, or Azure Key Vault.

Encryption At-Rest → MongoDB Enterprise and MongoDB Atlas

In-Use Encryption

Data is encrypted client-side with customer-controlled encryption keys, before being sent, stored, or retrieved from the database. The benefits of this approach are:

Data encrypted throughout its lifecycle
The strongest technical control to ensure that data always remains encrypted in-use, in backups, at-rest, and in-transit.
Faster application development cycle
MongoDB takes the complexity out of developing applications for sensitive workloads. Developers don’t have to be security or cryptography experts to build encryption into their applications.
Address critical data privacy use cases
Helps customers meet strict data privacy requirements such as HIPAA, GDPR, PCI, CCPA and more.

MongoDB has two features for encryption in-use to meet your data protection needs.

Client-Side Field Level Encryption

Client-Side Field Level Encryption (CSFLE) is an in-use encryption capability that enables a client application to encrypt sensitive data before storing it in the MongoDB database. Sensitive data is transparently encrypted, remains encrypted throughout its lifecycle, and is only decrypted on the client side.

Learn more → Client-Side Field Level Encryption

Queryable Encryption

Queryable Encryption is an in-use encryption capability that enables an application to encrypt sensitive data from the client-side, store the encrypted data in the MongoDB database, and run expressive queries on the encrypted data.

Additional benefits you can get with Queryable Encryption:

Groundbreaking technology
Queryable Encryption introduces a first-in-industry fast encrypted search algorithm using NIST standards-based primitives such as AES-256, SHA2, and HMACs. It is designed by the pioneers of encrypted search with decades of research and experience in cryptography.
Rich querying capabilities on encrypted data
Data can be queried using equality matches (generally available) with range, prefix, suffix, and substring query capabilities planned.

Learn more → Queryable Encryption

Queryable Encryption: Sample flow of operations to fetch records for a given SSN

Resources

FAQ

Help your organization with strong technical controls. Need more information?

How does In-Use Encryption compare with in-transit and at-rest encryption?

In-Use Encryption is best applied selectively to those fields of your documents that you classify as containing the most sensitive data, such as PII or PHI.

Using Client-Side FLE or Queryable Encryption alongside in-transit and at-rest encryption provides encryption of data throughout its lifecycle, using complementary approaches that provide a defense-in-depth security posture to address different threat models.

In-transit encryption protects all data traversing the network but does not encrypt data in-use or at-rest.
At-rest encryption protects all stored data but does not encrypt data in-use or in-transit.
With in-use encryption, your most sensitive data never leaves your application in plaintext. Fields that are encrypted client-side cannot be decrypted by the server and remain encrypted in-transit, at-rest, and in-use even as queries are being processed.

Do the customer provided encryption keys used for Atlas at-rest encryption need to be stored in the same cloud provider as the data is?

Your encryption keys can be stored in any cloud provider of your choosing and do not need to be in the same cloud provider as your data. For example, you can store your data in Azure but have your encryption keys in AWS KMS, or have your data in AWS but your keys in GCP Cloud KMS. This approach applies both to at-rest encryption and in-use encryption capabilities.

For more information, refer to our documentation

Can I use cloud-provider KMS for Encryption at-rest with MongoDB Enterprise?

MongoDB Enterprise supports KMIP-enabled key providers for encryption at-rest. Cloud-provided KMS (Key Management Systems) is not supported.

For more details refer to the documentation

How does Queryable Encryption differ from Client-Side Field Level Encryption?

Queryable Encryption uses a fast encrypted search algorithm to add additional encrypted data structures on the server side, enabling the processing of expressive queries on encrypted data. Since the database does the query processing, there’s no need to bring extra results back to the client or write additional application code for client-side query handling.

Client-Side Field Level Encryption provides related functionality, in that it encrypts data on the client side before inserting it into the database. Querying is limited to equality queries and deterministic encryption must be used for equality.

For more information, refer to our documentation

What query types are supported with Queryable Encryption?

The Queryable Encryption supports equality queries on encrypted data as of the 7.0 release.

Future releases will support range, prefix, suffix, and substring query types.