The automatic feature of field level encryption is only available in MongoDB Enterprise 4.2 or later, and MongoDB Atlas 4.2 or later clusters.
mongocryptd is installed with MongoDB Enterprise
When you create a CSFLE-enabled MongoDB client, the
process starts automatically by default.
Uses the specified automatic encryption rules to mark fields in read and write operations for encryption.
Prevents unsupported operations from executing on encrypted fields.
Parses the encryption schema specified for the database connection. Automatic encryption rules use a strict subset of JSON schema syntax. If the rules contain invalid automatic encryption syntax or any
mongocryptdreturns an error.
mongocryptd only performs the previous functions, and doesn't perform any of the following:
mongocryptddoesn't perform encryption or decryption
mongocryptddoesn't access any encryption key material
mongocryptddoesn't listen over the network
To perform client-side field level encryption and automatic decryption, Drivers use the Apache-licensed libmongocrypt library
The official MongoDB 4.2+ compatible drivers,
and the 4.2 or later legacy
mongo shell require access to
mongocryptd process on the client host machine. These clients
search for the
mongocryptd process in the system PATH by default.
For supported Linux Operating Systems, install the Server package by following the
install on Linux tutorial
, follow the documented installation instructions and install the
mongodb-enterprise server package. Alternatively, specify
mongodb-enterprise-cryptd instead to install only the
mongocryptd binary. The package manager installs
the binaries to a location in the system PATH (e.g.
For OSX, install the Server package by following the install on MacOS tutorial. The package manager installs binaries to a location in the system PATH.
For Windows, install the Server package by following the
install on Windows tutorial.
You must add the
mongocryptd package to your system PATH after
installation. Defer to documented best practices for your Windows
installation for instructions on adding the
mongocryptd binary to
the system PATH.
For installations via an official tarball or ZIP archive,
follow the documented best practices for your operating system to add
mongocryptd binary to your system PATH.
If the driver has access to the
mongocryptd process, it spawns the
process by default.
mongocryptd Port In Use
mongocryptd process is already running on the port specified
by the driver, the driver may log a warning and continue without
spawning a new process. Any settings specified by the driver only
apply once the existing process exits and a new encrypted client
attempts to connect.
Configure how the driver starts
mongocryptd through the
The port from which
mongocryptd listens for messages.
Number of idle seconds the
mongocryptd process waits
The URI on which to run the
true, prevents the driver from automatically
The full path to
Default: Defaults to empty string and spawns from the system path.
Start on Boot
If possible, start
mongocryptd on boot, rather than launching it
To view examples of how to configure your
process, click the tab corresponding to the driver you are using in