Docs Menu

Encryption - .NET SDK

On this page

  • Overview
  • Storing & Reusing Keys
  • Encryption and Atlas Device Sync

You can encrypt your realms to ensure that the data stored to disk can't be read outside of your application. You encrypt the realm database file on disk with AES-256 + SHA-2 by supplying a 64-byte encryption key when opening the realm.


For details and code examples for implementing Realm encryption, see Encrypt a Realm.

Realm transparently encrypts and decrypts data with standard AES-256 encryption using the first 256 bits of the given 512-bit encryption key. Realm uses the other 256 bits of the 512-bit encryption key to validate integrity using a hash-based message authentication code (HMAC).


There is a small performance hit (typically less than 10% slower) when using encrypted Realms.

You must pass the same encryption key when opening the encrypted realm again. Apps should securely store the encryption key, typically in the target platform's secure key/value pair storage. You can use Xamarin Secure Storage to simplify the access to underlying storage. Ultimately, it is the developer's responsibility to ensure that attackers cannot easily extract the key.

You can encrypt a synced realm, too. Realm only encrypts the data on the device, and stores the data unencrypted in your Atlas data source. The transfer between client server is fully encrypted.

If you need unique keys for each user of your application, you can use an OAuth provider (such as Xamarin.Auth), or use one of the Realm Authentication providers and an Authentication Trigger to create a 64-bit key and store that key in a user object.

←  Schema Versions & Migrations - .NET SDKApplication Services - .NET SDK →
Give Feedback
© 2022 MongoDB, Inc.


  • Careers
  • Investor Relations
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2022 MongoDB, Inc.