Docs Menu
Docs Home
MongoDB Manual
/ / / / /

CSFLE Encryption Components

On this page

  • Diagram
  • Components
  • libmongocrypt
  • mongocryptd
  • Key Vault collection
  • Key Management System
  • MongoDB Cluster

The following diagram illustrates the relationships between a MongoDB driver or mongosh and each component of Client-Side Field Level Encryption (CSFLE):

Diagram of relationships between driver and encryption components

The following sections discuss the individual components of the preceding diagram.

libmongocrypt is the Apache-licensed open-source core cryptography library used by the official MongoDB drivers and mongosh to power Client-Side Field Level Encryption. Some drivers may require specific integration steps to install or link the library.

To view steps for installing libmongocrypt, see the libmongocrypt reference page.

mongocryptd supports automatic encryption and is only available with MongoDB Enterprise. mongocryptd does not perform cryptographic functions.

To learn more about mongocryptd, see Install and Configure mongocryptd for CSFLE.

The Key Vault collection is a standard MongoDB collection that stores all Data Encryption Keys used to encrypt application data. Data Encryption Keys are themselves encrypted using a Customer Master Key (CMK) prior to storage in the Key Vault collection. You can host your Key Vault collection on a different MongoDB cluster than the cluster storing your encrypted application data.

To learn more about the Key Vault collection, see Encryption Keys and Key Vaults.

The Key Management System (KMS) stores the Customer Master Key (CMK) used to encrypt Data Encryption Keys.

To view a list of all KMS providers MongoDB supports, see KMS Providers.

The MongoDB cluster which stores the encrypted data may also enforce Client-Side Field Level Encryption. For more information on server-side schema enforcement, see CSFLE Server-Side Schema Enforcement.


MongoClient Options for CSFLE


How CSFLE Decrypts Documents