Queryable Encryption & Client-Side Field Level Encryption

I am studying about “Queryable Encryption” and “Client-Side Field Level Encryption”.
But to me, these two look so similar.

Queryable Encryption
Queryable Encryption is a feature of MongoDB that enables a client application to encrypt data before transporting it over the network using fully randomized encryption, while maintaining queryability. Sensitive data is transparently encrypted and decrypted by the client and only communicated to and from the server in encrypted form. The security guarantees for sensitive fields containing both low cardinality (low-frequency) data and high cardinality data are identical

Client-Side Field Level Encryption
Client-Side Field Level Encryption (CSFLE) is a feature of MongoDB that enables a client application to encrypt data before transporting it over the network. Sensitive data is transparently encrypted and decrypted by the client and only communicated to and from the server in encrypted form.

I think the difference between the two is that Queryable Encryption maintains queryable and uses randomized encryption, and Client-Side Field Level Encryption uses a set encryption method(deterministic encryption).

Is this correct?

And what is Queryable?

Hi Kim and thank you for your question.

You are correct that in the current Public Preview the difference between the two is how the data is encrypted. To make a field queryable on an exact match in Client-Side Field Level Encryption we use deterministic encryption. Deterministic Encryption is strong encryption for most data but if you have fields that are low cardinality, meaning very few values possible, it can be subject to inference attacks. With Queryable Encryption the data is always encrypted randomly so not subject to those same inference attacks on low cardinality data and you can still run an exact match query. The Public Preview of Queryable Encryption is our first release and only supports exact matches right now but additional querying capability - ranges, prefix, suffix and substring - are planned in the near future.

So to recap -

  • Both solutions provide full, end to end protection of the data
  • Client-side Field Level Encryption supports exact match queries using deterministic encryption
  • Queryable Encryption supports, or is planned to support in the future, exact match (equality), range, prefix, suffix and substring queries on randomly encrypted data.

I hope that helps and keep an eye out for announcements of those new features.

Cynthia

2 Likes