Client-Side Field Level Encryption is now on Azure and Google Cloud

Mat Keep and Kenneth White
November 9, 2020 | Updated: August 1, 2023

We’re excited to announce expanded key management support for Client-Side Field Level Encryption (FLE).

Initially released last year with Amazon’s Key Management Service (KMS), native support for Azure Key Vault and Google Cloud KMS is now available in preview with support for our C#/.Net, Java, and Python drivers. More drivers will be added in the coming months.

Client-Side FLE provides amongst the strongest levels of data privacy available today. By expanding our native KMS support, it is even easier for organizations to further enhance the privacy and security of sensitive and regulated workloads with multi-cloud support across ~80 geographic regions.

My databases are already encrypted. What can I do with Client-Side Field Level Encryption?

What makes Client-Side FLE different from other database encryption approaches is that the process is totally separated from the database server. Encryption and decryption is instead handled exclusively within the MongoDB drivers in the client, before sensitive data leaves the application and hits the network.

As a result, all encrypted fields sent to the MongoDB server – whether they are resident in memory, in system logs, at-rest in storage, and in backups – are rendered as ciphertext. Neither the server nor any administrators managing the database or cloud infrastructure staff have access to the encryption keys. Unless the attacker has a compromised DBA password, privileged network access, AND a stolen client encryption key, the data remains protected, securing it against sophisticated exploits.

MongoDB’s Client-Side FLE complements existing network and storage encryption to protect the most highly classified, sensitive fields of your records without:

  • Developers needing to write additional, highly complex encryption logic application-side
  • Compromising your ability to query encrypted data
  • Significantly impacting database performance

By securing data with Client-Side FLE you can move to managed services in the cloud with greater confidence. This is because the database only works with encrypted fields, and you control the encryption keys, rather than having the database provider manage the keys for you. This additional layer of security enforces an even finer-grained separation of duties between those who use the database and those who administer and manage the database.

You can also more easily comply with “right to erasure” mandates in modern privacy legislation such as the GDPR and the CCPA. When a user invokes their right to erasure, you simply destroy the associated field encryption key and the user’s Personally Identifiable Information (PII) is rendered unreadable and irrecoverable to anyone.

Client-Side FLE Implementation

Client-Side FLE is highly flexible. You can selectively encrypt individual fields within a document, multiple fields within the document, or the entire document. Each field can be optionally secured with its own key and decrypted seamlessly on the client.

To check-out how Client-Side FLE works, take a look at this handy animation.

The flow of a query submitted by an authenticated client using FLE

Client-Side FLE uses standard NIST FIPS-certified encryption primitives including AES at the 256-bit security level, in authenticated CBC mode: AEAD AES-256-CBC encryption algorithm with HMAC-SHA-512 MAC.

Data encryption keys are protected by strong symmetric encryption with standard wrapping Key Encryption Keys, which can be natively integrated with external key management services backed by FIPS 140-2 validated Hardware Security Modules (HSMs). Initially this was with Amazon’s KMS, and now with Azure Key Vault and Google Cloud KMS in preview. Alternatively, you can use remote secure web services to consume an external key or a secrets manager such as Hashicorp Vault.

Getting Started

  • To learn more, download our Guide to Client-Side FLE. The Guide will provide you an overview of how Client-Side FLE is implemented, use-cases for it, and how it complements existing encryption mechanisms to protect your most sensitive data.
  • Review the Client-Side FLE key management documentation for more details on how to configure your chosen KMS.

Safe Harbor

The development, release, and timing of any features or functionality described for our products remains at our sole discretion. This information is merely intended to outline our general product direction and it should not be relied on in making a purchasing decision nor is this a commitment, promise or legal obligation to deliver any material, code, or functionality.

← Previous

Join Us for MongoDB.live: 10 Reasons to Attend

Digital transformation has accelerated during the COVID-19 pandemic, as organizations implement new capabilities to support employees and customers and keep things running. The need to build and deploy modern applications has never been greater. For developers, it’s both a challenge and an opportunity. What more can and should they be doing? MongoDB is hosting a series of virtual events around the world to help developers take a deep breath (including exercise breaks!), connect with their peers and our experts, build skills, and brainstorm over projects and new capabilities. Our MongoDB.live events begin Nov. 10 in Northern Europe, with stops in other regions over the next two months. The agenda is tailored to local audiences, so it will feel close to home even as you join remotely. Each agenda is packed with great speakers and content. You can see what it’s all about — and register — here . There will be something for everyone at MongoDB.live. Here are 10 of my favorite reasons to participate. It only makes sense that we begin our day-long event with an eye-opening cup of coffee. Learn about the chemistry of a strong ‘cup of Joe’ from a professional coffee educator in a session titled, “The Science of the Perfect Cup of Coffee.” Dig into performance tuning with a talk on “system thinking” — a way of thinking about complex systems that is both common sense and counterintuitive. This “tales from the field” session is targeted at developers, architects, DevOps engineers, and DBAs. Get even more value from mobile application data in a session focused on how to use MongoDB Atlas to build a MongoDB Realm-based application. Schema design is fundamental to building and managing databases, so we’re bringing together experts to tackle your questions in an Ask Me Anything panel on schema design. Meet the author (and maybe get a free copy) of the book titled, “Soonish: The Emerging Technologies That’ll Improve and/or Ruin Everything.” With a provocative premise like that, how can we not attend? Take a deep dive into the MERN/MEAN stack in a hands-on tutorial. By the end of this 90-minute session, you’ll have a fully managed, auto-scaling application hosted free on MongoDB Atlas. Customer spotlight with Sainsbury, the 150-year-old British retailer that is giving its developers the time and freedom to innovate and push boundaries. Not everyone is an expert MongoDB developer — yet! This “jumpstart” tutorial will help beginners get started with MongoDB’s most indispensable tools, including Atlas, Realm, and Compass. Learn about using MongoDB and Kubernetes together in a session that provides an overview of the architecture, key features, and future outlook of our Kubernetes products. Ask MongoDB! MongoDB VPs of Product Management, Andrew Davidson and Chirag Shah, will field questions from attendees. This is your chance to go straight to our experts with any questions you have. And there will be much more, including community networking, virtual pub trivia, and live Q&A panels. It’s all designed to help you learn, network, and prepare for what’s next — and it’s free. Please join us be registering here .

November 9, 2020
Next →

Building AI With MongoDB: Integrating Vector Search And Cohere to Build Frontier Enterprise Apps

Cohere is the leading enterprise AI platform, building large language models (LLMs) which help businesses unlock the potential of their data. Operating at the frontier of AI, Cohere’s models provide a more intuitive way for users to retrieve, summarize, and generate complex information. Cohere offers both text generation and embedding models to its customers. Enterprises running mission-critical AI workloads select Cohere because its models offer the best performance-cost tradeoff and can be deployed in production at scale. Cohere’s platform is cloud-agnostic. Their models are accessible through their own API as well as popular cloud managed services, and can be deployed on a virtual private cloud (VPC) or even on-prem to meet companies where their data is, offering the highest levels of flexibility and control. Cohere’s leading Embed 3 and Rerank 3 models can be used with MongoDB Atlas Vector Search to convert MongoDB data to vectors and build a state-of-the-art semantic search system. Search results also can be passed to Cohere’s Command R family of models for retrieval augmented generation (RAG) with citations. Check out our AI resource page to learn more about building AI-powered apps with MongoDB. A new approach to vector embeddings It is in the realm of embedding where Cohere has made a host of recent advances. Described as “AI for language understanding,” Embed is Cohere’s leading text representation language model. Cohere offers both English and multilingual embedding models, and gives users the ability to specify the type of data they are computing an embedding for (e.g., search document, search query). The result is embeddings that improve the accuracy of search results for traditional enterprise search or retrieval-augmented generation. One challenge developers faced using Embed was that documents had to be passed one by one to the model endpoint, limiting throughput when dealing with larger data sets. To address that challenge and improve developer experience, Cohere has recently announced its new Embed Jobs endpoint . Now entire data sets can be passed in one operation to the model, and embedded outputs can be more easily ingested back into your storage systems. Additionally, with only a few lines of code, Rerank 3 can be added at the final stage of search systems to improve accuracy. It also works across 100+ languages and offers uniquely high accuracy on complex data such as JSON, code, and tabular structure. This is particularly useful for developers who rely on legacy dense retrieval systems. Demonstrating how developers can exploit this new endpoint, we have published the How to use Cohere embeddings and rerank modules with MongoDB Atlas tutorial . Readers will learn how to store, index, and search the embeddings from Cohere. They will also learn how to use the Cohere Rerank model to provide a powerful semantic boost to the quality of keyword and vector search results. Figure 1: Illustrating the embedding generation and search workflow shown in the tutorial Why MongoDB Atlas and Cohere? MongoDB Atlas provides a proven OLTP database handling high read and write throughput backed by transactional guarantees. Pairing these capabilities with Cohere’s batch embeddings is massively valuable to developers building sophisticated gen AI apps. Developers can be confident that Atlas Vector Search will handle high scale vector ingestion, making embeddings immediately available for accurate and reliable semantic search and RAG. Increasing the speed of experimentation, developers and data scientists can configure separate vector search indexes side by side to compare the performance of different parameters used in the creation of vector embeddings. In addition to batch embeddings, Atlas Triggers can also be used to embed new or updated source content in real time, as illustrated in the Cohere workflow shown in Figure 2. Figure 2: MongoDB Atlas Vector Search supports Cohere’s batch and real time workflows. (Image courtesy of Cohere) Supporting both batch and real-time embeddings from Cohere makes MongoDB Atlas well suited to highly dynamic gen AI-powered apps that need to be grounded in live, operational data. Developers can use MongoDB’s expressive query API to pre-filter query predicates against metadata, making it much faster to access and retrieve the more relevant vector embeddings. The unification and synchronization of source application data, metadata, and vector embeddings in a single platform, accessed by a single API, makes building gen AI apps faster, with lower cost and complexity. Those apps can be layered on top of the secure, resilient, and mature MongoDB Atlas developer data platform that is used today by over 45,000 customers spanning startups to enterprises and governments handling mission-critical workloads. What's next? To start your journey into gen AI and Atlas Vector Search, review our 10-minute Learning Byte . In the video, you’ll learn about use cases, benefits, and how to get started using Atlas Vector Search.

April 25, 2024