New MongoDB Shell now supports Client-side Field-level Encryption

Last summer, we introduced mongosh, the new MongoDB Shell with an enhanced user experience and a powerful, Node.js-based scripting environment.

Since then, we have been adding new functionality and APIs to close the gap with the legacy mongo shell, on the path to making it the default shell for MongoDB. In addition to the set of CRUD and other commands that we supported in the first release we recently added:

  • Bulk operations
  • Change Streams
  • Sessions and Transactions
  • Logging and profiling commands
  • Replica set and Sharding configuration commands

Plus some other minor things and utility commands here and there.

This week, we released mongosh 0.8 with support for Client-side Field-level Encryption (FLE).

Support for Client-side Field-level Encryption

MongoDB Client-Side Field-level Encryption (FLE) allows developers to selectively encrypt individual fields of a document using the MongoDB drivers (and now with mongosh as well) on the client before it is sent to the server. This keeps data encrypted (but still queryable) while it is in-use in database memory, and protects it from the providers hosting the database, as well as from any user that has direct access to the database.

Back in November, we announced that in addition to AWS’ KMS, Client-side FLE now supports key management systems in Azure and Google Cloud in beta.

The most recent version of the MongoDB Shell makes it easy to test this functionality in a few easy steps:

  1. Create a free Atlas Cluster

  2. Install mongosh.

  3. Check out our documentation to set up your KMS in Azure or GCP.

  4. Start encrypting!

To make it easier to get started with Client-Side FLE, here are two simple scripts that you can edit and copy-paste into mongosh: mongosh-fle-gcp-kms to set up Client-side FLE with Google Cloud and mongosh-fle-local-kms to use a local key.

In the screenshot below, you can see a document that was encrypted on the client with automatic encryption before it was sent across the wire and inserted into MongoDB. Fields are in clear text in the shell but then are shown as encrypted when connecting with Compass to the same Atlas cluster.

Client-side Field-level Encryption

A Powerful Scripting Environment

As mongosh is built on top of Node.js, it’s a great environment for scripting, no matter if it’s about checking the health status of your replica set or if you want to take a quick look at the data to make sure it’s coming in from your application as you are expecting.

With modules from npm, the experience becomes much more rich and interactive.

For example, if I want to look at the sample_mflix collection available in the Atlas sample datasets and check the distribution of thriller movies over the years, I can put together a simple script that includes running an aggregation and visually formatting the results with an open source library called babar

Mongosh npm Module

This is just one of many ways you can extend the functionality of the MongoDB Shell by taking advantage of the great ecosystem of JavaScript libraries and modules that the community has built over the years and keeps on building every day.

Start Scripting and Let Us Know How it's Working for You!

As we added new functionality to the MongoDB Shell, we tried as much as possible to keep backwards compatibility with mongo, and we were mostly able to do that. In a limited number of cases, however, we took the opportunity to clean up the API and address some unexpected behaviors.

Wondering what’s coming next in mongosh? We are working on adding support for load() and rc files to make it easy to load your scripts into the shell.

If you find something that does not work as expected, please let us know! Simply create a bug in our JIRA project or reach out on Twitter.