How to store Realm client data encrypted on MongoDB Atlas?

Currently data can be encrypted on the Realm client device, but is stored unencrypted in MongoDB Atlas as the quote below shows. I want data to be encrypted with a Zero-Knowledge encryption approach:

“Zero-Knowledge encryption means that service providers know nothing about the content of the data you store on their servers.” Field names can be unencrypted, but the actual data should be encrypted (‘field encryption’). For example the Joplin App is taking such an approach, calling it End to End Encryption.

Therefore the private key should be generated on the device and not be stored on the server and should only be accessible to the user.

I believe this is not built-in with the current version of Realm Sync / MongoDB Atlas. For my use case, the data on the device still needs to be accessible for a search query (unencrypted while logged in), but I do not need to be able to search the data on the Atlas Server, as searching the local data is sufficient.

I wonder, if Realm (on the device) provides any hooks which makes this possible. Would encryption possibly get in the way synchronisation? What would be a feasible approach I could use to encrypt the data with a private key, before it is sent to the server and synchronised?

References

Documentation: Encryption and Realm Sync

You can encrypt a synced realm. MongoDB Realm only encrypts the data on the device and stores the data unencrypted in your MongoDB Atlas data source.

  • MongoDB does provide Field Level Encryption (for their Enterprise version), but this does not appear to be available via the Realm mobile SDKs. (Also, my project does not have access to the enterprise version.)