MongoDB Data Encryption

In-use encryption extends protection beyond encryption in transit and at rest by keeping sensitive data encrypted even while it is being queried and processed. With MongoDB Queryable Encryption, data is encrypted on the client side using customer-managed keys before it ever reaches the database. Encrypted fields cannot be decrypted by the server and will remain protected in transit, at rest, and in use, including during query execution.

By comparison, in-transit encryption protects data as it travels over the network but does not secure it once stored or processed. At-rest encryption protects stored data on disk but does not secure it while in transit or during queries. Queryable Encryption complements both by ensuring that the most sensitive fields, such as PII or PHI, never leave the application in plaintext, delivering end-to-end protection across the entire data lifecycle.

Your encryption keys can be stored in any cloud provider of your choice and do not need to be in the same cloud provider as your data. For example, you can store your data in Azure but have your encryption keys in AWS KMS, or have your data in AWS but your keys in Google Cloud KMS. This approach applies both to at-rest encryption and in-use encryption capabilities.

MongoDB Enterprise Advanced supports KMIP-enabled key providers for encryption at rest. Cloud-provided KMS (Key Management Systems) is not supported.

Queryable Encryption uses a fast encrypted search algorithm to add additional encrypted data structures on the server side, enabling the processing of equality,range, prefix, suffix, and substring queries on encrypted data. Since the database does the query processing, there’s no need to bring extra results back to the client or write additional application code for client-side query handling.

Client-Side Field-Level Encryption provides related functionality, in that it encrypts data on the client side before inserting it into the database. Querying is limited to equality queries and deterministic encryption must be used for equality.

Queryable Encryption supports equality and range queries, as well as prefix, suffix, and substring queries in public preview on encrypted data as of the 8.2 release.