MongoDB uses the Automatic Encryption Shared Library (recommended) or the mongocryptd executable
process to translate queries into encrypted queries, and to encrypt or decrypt data.
Before You Start
Follow the preceding tasks to install a Queryable Encryption compatible driver and dependencies before continuing.
Choose a Query Analysis Component
Automatic Encryption Shared Library
The Automatic Encryption Shared Library is a dynamic library that enables your client application to perform automatic encryption. A dynamic library is a set of functionality accessed by an application at runtime rather than compile time. The Automatic Encryption Shared Library performs the following tasks:
Reads the encryption schema to determine which fields to encrypt or decrypt
Prevents your application from executing unsupported operations on encrypted fields
The Automatic Encryption Shared Library does not do any of the following:
Perform data encryption or decryption
Access the encryption key material
Listen for data over the network
The Automatic Encryption Shared Library is a preferred alternative to mongocryptd and doesn't require you to start another process to perform automatic encryption.
mongocryptd
Important
Use the Automatic Encryption Shared Library
If you are starting a new project, use the Automatic Encryption Shared Library. The
Automatic Encryption Shared Library replaces mongocryptd and does not require
you to start a new process.
mongocryptd is installed with MongoDB Enterprise
Server.
When you create a MongoDB client with In-Use Encryption, the
mongocryptd process starts automatically by default.
The mongocryptd process:
Uses the specified automatic encryption rules to mark fields in read and write operations for encryption.
Prevents unsupported operations from executing on encrypted fields.
Parses the encryption schema specified for the database connection. Automatic encryption rules use a strict subset of JSON schema syntax. If the rules contain invalid automatic encryption syntax or any
schema validationsyntax,mongocryptdreturns an error.
mongocryptd only performs the previous functions, and doesn't
perform any of the following:
mongocryptddoesn't perform encryption or decryptionmongocryptddoesn't access any encryption key materialmongocryptddoesn't listen over the network
To perform field encryption and automatic decryption, the drivers use the Apache-licensed libmongocrypt library.
Procedure
To download the Automatic Encryption Shared Library from the MongoDB Download Center, select the version and platform, then the library.
Tip
To view an expanded list of available releases and packages, see MongoDB Enterprise Downloads.
In the Version dropdown, select 8.0.4 (current).
In the Platform dropdown, select your platform.
In the Package dropdown, select crypt_shared.
Click Download.
To configure how your driver searches for the Automatic Encryption Shared Library, use the following parameters:
Name | Description |
|---|---|
cryptSharedLibPath | Specifies the absolute path to the Automatic Encryption Shared Library
package, Default: |
cryptSharedLibRequired | Specifies if the driver must use the Automatic Encryption Shared Library. If
Default: |
To view an example demonstrating how to configure these parameters, see the Quick Start.
Install mongocryptd:
For supported Linux Operating Systems:
To install the Server package, follow the install on Linux
tutorial and install the
mongodb-enterprise server package. Alternatively, specify
mongodb-enterprise-cryptd instead to install only the
mongocryptd binary. The package manager installs
the binaries to a location in the system PATH.
For OSX: To install the Server package, follow the install on MacOS tutorial. The package manager installs binaries to a location in the system PATH.
For Windows:
To install the Server package, follow the install on Windows
tutorial. You must add the mongocryptd
package to your system PATH after installation. Follow the documented
best practices for your Windows installation to add the mongocryptd
binary to the system PATH.
To install from an official tarball / ZIP archive:
To install from an official archive, follow the documented best
practices for your operating system to add the mongocryptd binary
to your system PATH.
Configure mongocryptd:
If the driver has access to the mongocryptd process, it spawns the
process by default. Your application must have write permissions on the
working directory to create the mongocryptd.pid file.
Important
Start on Boot
If possible, start mongocryptd on boot, rather than launching it
on demand.
Configure how the driver starts mongocryptd through the
following parameters:
Name | Description |
|---|---|
port | The port from which mongocryptd listens for messages.Default: 27020 |
idleShutdownTimeoutSecs | Number of idle seconds the mongocryptd process waits
before exiting.Default: 60 |
mongocryptdURI | The URI on which to run the mongocryptd process.Default: "mongodb://localhost:27020" |
mongocryptdBypassSpawn | When true, prevents the driver from automatically
spawning mongocryptd.Default: false |
mongocryptdSpawnPath | The full path to mongocryptd.Default: Defaults to empty string and spawns from the system
path. |
If a mongocryptd process is already running on the port specified by
the driver, the driver may log a warning and continue without spawning a
new process. Any settings specified by the driver only apply once the
existing process exits and a new encrypted client attempts to connect.
Examples
To view examples of how to configure your mongocryptd
process, click the tab corresponding to the driver you are using in
your application:
The following code-snippet sets the listening port configuration
of mongocryptd:
var extraOptions = new Dictionary<string, object>() { { "mongocryptdSpawnArgs", new [] { "--port=30000" } }, }; autoEncryptionOptions.With(extraOptions: extraOptions);
The following code-snippet sets the default timeout configuration
of mongocryptd:
var extraOptions = new Dictionary<string, object>() { { "idleShutdownTimeoutSecs", 60 }, }; autoEncryptionOptions.With(extraOptions: extraOptions);
The following code-snippet sets the listening port configuration
of mongocryptd:
extraOptions := map[string]interface{}{ "mongocryptdSpawnArgs": []string{ "--port=30000", }, }
The following code-snippet sets the default timeout configuration
of mongocryptd:
extraOptions := map[string]interface{}{ "mongocryptdSpawnArgs": []string{ "--idleShutdownTimeoutSecs=75", }, }
The following code-snippet sets the listening port configuration
of mongocryptd:
List<String> spawnArgs = new ArrayList<String>(); spawnArgs.add("--port=30000"); Map<String, Object> extraOpts = new HashMap<String, Object>(); extraOpts.put("mongocryptdSpawnArgs", spawnArgs); AutoEncryptionSettings autoEncryptionSettings = AutoEncryptionSettings.builder() ... .extraOptions(extraOpts);
The following code-snippet sets the default timeout configuration
of mongocryptd:
List<String> spawnArgs = new ArrayList<String>(); spawnArgs.add("--idleShutdownTimeoutSecs") .add("60"); Map<String, Object> extraOpts = new HashMap<String, Object>(); extraOpts.put("mongocryptdSpawnArgs", spawnArgs); AutoEncryptionSettings autoEncryptionSettings = AutoEncryptionSettings.builder() ... .extraOptions(extraOpts);
The following code-snippet sets the listening port configuration
of mongocryptd:
autoEncryption: { ... extraOptions: { mongocryptdSpawnArgs: ["--port", "30000"], mongocryptdURI: 'mongodb://localhost:30000', }
Note
In the NodeJS driver, the mongocryptdURI must match the listening port.
The following code-snippet sets the default timeout configuration
of mongocryptd:
autoEncryption: { ... extraOptions: { mongocryptdSpawnArgs: ["--idleShutdownTimeoutSecs", "75"] }
The following code-snippet sets the listening port configuration
of mongocryptd:
auto_encryption_opts = AutoEncryptionOpts(mongocryptd_spawn_args=['--port=30000'])
The following code-snippet sets the default timeout configuration
of mongocryptd:
auto_encryption_opts = AutoEncryptionOpts(mongocryptd_spawn_args=['--idleShutdownTimeoutSecs=75'])
Next Steps
After installing a query analysis component, create a Customer Master Key in your Key Management System of choice.