Docs Menu

Docs HomeDevelop ApplicationsMongoDB Manual

Use Automatic Queryable Encryption with GCP

On this page

  • Overview
  • Before You Get Started
  • Set Up the KMS
  • Register a GCP Service Account
  • Create a GCP Customer Master Key
  • Create the Application
  • Assign Your Application Variables
  • Create your Encrypted Collection
  • Insert a Document with Encrypted Fields
  • Query on an Encrypted Field
  • Learn More

Overview

This guide shows you how to build an application that implements the MongoDB Queryable Encryption feature to automatically encrypt and decrypt document fields and use Google Cloud Key Management Service for key management.

After you complete the steps in this guide, you should have:

  • A CMK managed by Google Cloud Key Management Service

  • A working client application that inserts documents with encrypted fields using your CMK

Tip

Customer Master Keys

To learn more about the Customer Master Key, read the Keys and Key Vaults documentation.

Before You Get Started

To complete and run the code in this guide, you need to set up your development environment as shown in the Installation Requirements page.

Tip

See: Full Application

To see the complete code for this sample application, select the tab corresponding to your programming language and follow the provided link. Each sample application repository includes a README.md file that you can use to learn how to set up your environment and run the application.

Set Up the KMS

1

Register a GCP Service Account

1

Register or log in to your existing account on Google Cloud.

2

Create a service account for your project

To create a service account on Google Cloud, follow the Creating a service account guide in Google's official documentation.

3

Add a service account key

To add a service account key on Google Cloud, follow the Managing service account keys guide in Google's official documentation.

2

Create a GCP Customer Master Key

1

Create a new Customer Master Key

Create a key ring and a symmetric key by following the Create a key guide from Google's official documentation.

This key is your Customer Master Key (CMK).

Record the following details of your CMK for use in a future step of this tutorial.

Field
Required
Description
key_name
Yes
Identifier for the CMK.
key_ring
Yes
Identifier for the group of keys your key belongs to.
key_version
No
The version of the named key.
location
Yes
Region specified for your key.
endpoint
No
The host and optional port of the Google Cloud KMS. The default value is cloudkms.googleapis.com.

Create the Application

1

Assign Your Application Variables

The code samples in this tutorial use the following variables to perform the Queryable Encryption workflow:

Important

Key Vault Collection Namespace Permissions

The Key Vault collection is in the encryption.__keyVault namespace. Ensure that the database user your application uses to connect to MongoDB has ReadWrite permissions on this namespace.

2

Create your Encrypted Collection

1

Add Your Google Cloud Key Management Service Credentials

Create a variable containing your Google Cloud Key Management Service credentials with the following structure:

2

Add your Customer Master Key Credentials

Create a variable containing your Customer Master Key credentials with the following structure. Use the credentials you recorded in the Create a new Customer Master Key step of this tutorial.

3

Set Your Automatic Encryption Options

Note

Automatic Encryption Options

The automatic encryption options provide configuration information to the Automatic Encryption Shared Library, which modifies the application's behavior when accessing encrypted fields.

To learn more about the Automatic Encryption Shared Library, see the Automatic Encryption Shared Library for Queryable Encryption page.

4

Create a Client to Set Up an Encrypted Collection

To create a client used to encrypt and decrypt data in your collection, instantiate a new MongoClient by using your connection URI and your automatic encryption options.

5

Specify Fields to Encrypt

To encrypt a field, add it to the encryption schema. To enable queries on a field, add the "queries" property. Create the encryption schema as follows:

Note

In the previous code sample, both the "ssn" and "billing" fields are encrypted, but only the "ssn" field can be queried.

6

Create the Collection

Instantiate ClientEncryption to access the API for the encryption helper methods.

3

Insert a Document with Encrypted Fields

4

Query on an Encrypted Field

The following code sample executes a find query on an encrypted field and prints the decrypted data:

The output of the preceding code sample should look similar to the following:

{
  "_id": {
    "$oid": "648b384a722cb9b8392df76a"
  },
  "name": "Jon Doe",
  "record": {
    "ssn": "987-65-4320",
    "billing": {
      "type": "Visa",
      "number": "4111111111111111"
    }
  },
  "__safeContent__": [
    {
      "$binary": {
        "base64": "L1NsYItk0Sg+oL66DBj6IYHbX7tveANQyrU2cvMzD9Y=",
        "subType": "00"
      }
    }
  ]
}

Warning

Do not Modify the __safeContent__ Field

The __safeContent__ field is essential to Queryable Encryption. Do not modify the contents of this field.

Learn More

To learn how Queryable Encryption works, see Fundamentals.

To learn more about the topics mentioned in this guide, see the following links:

  • Learn more about Queryable Encryption components on the Reference page.

  • Learn how Customer Master Keys and Data Encryption Keys work on the Keys and Key Vaults page.

  • See how KMS Providers manage your Queryable Encryption keys on the KMS Providers page.

← Use Automatic Queryable Encryption with Azure
Use Automatic Queryable Encryption with KMIP →

On this page