MongoDB Announces Queryable Encryption with Equality Query Type Support

Cynthia Braund and Pramod Borkar

The general availability of Queryable Encryption offers end-to-end encryption of sensitive data while preserving the ability to run equality queries on that encrypted data, helping customers meet the strictest data privacy requirements. This technology allows developers to query encrypted sensitive data in a simple, intuitive way. We are releasing the equality query type with the 7.0 release and in future releases will add support to the range, prefix, suffix, and substring query types.

First announced in preview in MongoDB 6.0 in 2022, Queryable Encryption introduced a fast state-of-the-art encrypted search algorithm using innovative cryptography engineering built and designed by MongoDB’s Cryptography Research Group with decades of experience designing state-of-the-art encrypted search algorithms.

Since its initial release last year, MongoDB has worked in partnership with its customers including leading Fortune 500 companies in the healthcare and insurance industries to fine-tune the release for general availability. This client-side encryption approach uses novel encrypted data structures that allow developers to run efficient, expressive queries on encrypted workloads for the first time. Data remains encrypted at all times on the database, including in memory and in the CPU; keys never leave the application and cannot be accessed by the database server.

Queryable Encryption: How it works

Gif displaying how queryable encryption works

Here is a sample flow of operations where an authorized user wants to query the encrypted data. In this example, let’s assume we are retrieving the records for an SSN number.

  1. Authorized users run an equality query to get specific SSN number records

  2. Recognizing the query is against an encrypted field, the driver requests the encryption keys from the customer-provisioned key provider, such as AWS Key Management Service (AWS KMS), Google Cloud KMS, Azure Key Vault, or any KMIP-enabled provider, such as HashiCorp Vault.

  3. The MongoDB driver gets the encryption keys from the key provider

  4. The driver submits the encrypted query along with a cryptographic token to the MongoDB server with the encrypted fields rendered as ciphertext.

  5. Queryable Encryption implements a fast encrypted search algorithm that allows the server to process queries on the encrypted data, without knowing the data. The data and the query itself remain encrypted at all times on the server.

  6. The MongoDB server returns the encrypted results of the query to the driver.

  7. The query results are decrypted with the keys held by the driver and returned to the client and shown as plaintext.

Here are some of the key benefits of Queryable Encryption technology:

  1. Run equality queries on encrypted data: With Queryable Encryption, customers can run equality queries on encrypted data using a fast state-of-the-art encrypted search algorithm. This algorithm allows the server to process and retrieve matching documents without the server understanding anything about the data or why the document should be returned.

  2. Groundbreaking query technology based on standards-based cryptography: Queryable Encryption introduces a fast state-of-the-art encrypted search algorithm that uses NIST standards-based primitives. These are well-tested and established public standards to ensure the confidentiality and integrity of data.

  3. Faster application development cycle: Queryable Encryption allows developers to easily encrypt sensitive data without changes to their application code with many language-specific drivers to choose from. There is no crypto experience required and it’s intuitive and easy for developers to set up and use. Developers don't have to figure out how to use the right algorithms, encryption options, etc to implement their right encryption solution. MongoDB has done all that complex work for them.

  4. Reduce operational risk as sensitive workloads are protected on the cloud: Eliminate common security concerns when moving database workloads to the cloud. Customers can keep their data on any of the cloud providers and be assured that their data is protected. Since encryption keys are only accessible within the customer environment, the data cannot be decrypted by a 3rd party or the cloud provider. The only place where the data is unencrypted is in the application.

  5. Strong technical controls for critical data privacy use cases: Can help customers meet strict data privacy requirements such as HIPAA, GDPR, CCPA, PCI, and more. Queryable Encryption uses strong data protection techniques and end-to-end encryption.


For more information on Queryable Encryption, refer to the following resources: