Is Zero-Knowledge Encryption for Realm Sync Client Data Stored on MongoDB Atlas Possible?

Currently, data is currently encrypted on the Realm client device but stored unencrypted in MongoDB Atlas.

I would like to implement Zero-Knowledge encryption, where the service provider does not know the content of the data, with field encryption for actual data.

The private key would be generated on the device and not stored on the server, only accessible to the user.

It is unclear if this is possible with the current version of Atlas Device Sync/MongoDB Atlas.

Ideally, I would ensure that the data on the device remains accessible for search queries while logged in, and synchronization will not be affected by encryption.

I’ve seen this post on Stackoverflow which mentions possibly using 2 databases - one synced with Realm and one not.

Is there a feasible approach for encrypting the data with a private key before it is sent to the server for synchronization?

1 Like

You could theoretically store all fields that you want encrypted as BinData fields and just store the raw binary in MongoDB. You would not be able to “query” on any of those fields though, so if you need to define a partition key or queryable fields you would need to leave those unencrypted. Then you would have to build the client-side logic to encrypt/decrypt each field before storing it in Realm.

Note that MongoDB has an offering for this but unfortunately Device Sync does not support this yet. MongoDB Client-Side Field Level Encryption | MongoDB