Docs Menu

Docs HomeMongoDB Manual

Server-Side Schema Enforcement

On this page

  • Example
  • Learn More

In Client-Side Field Level Encryption (CSFLE)-enabled client applications, you can use schema validation to have your MongoDB instance enforce encryption of specific fields. To specify which fields require encryption, use the automatic encryption rule keywords with the $jsonSchema validation object. The server rejects any write operations to that collection where the specified fields are not Binary (BinData) subtype 6 objects.

To learn how a CSFLE-enabled client configured to use automatic encryption behaves when it encounters a server-side schema, see Server-Side Field Level Encryption Enforcement.

To learn how a CSFLE-enabled client configured to use explicit encryption behaves when it encounters a server-side schema, see Server-Side Field Level Encryption Enforcement.

Consider an hr database with an employees collection. Documents in the employees collection have the following form:

{
"name": "Jane Doe",
"age": 51
}

You want to enforce the following behavior for client applications using your collection:

  • When encrypting the age field, clients must follow these encryption rules:

    • Use the Data Encryption Key with an _id of UUID("e114f7ad-ad7a-4a68-81a7-ebcb9ea0953a").

    • Use the randomized encryption algorithm.

    • The age field must be an integer.

  • When encrypting the name field, clients must follow these encryption rules:

    • Use the Data Encryption Key with an _id of UUID("33408ee9-e499-43f9-89fe-5f8533870617").

    • Use the deterministic encryption algorithm.

    • The name field must be a string.

The following mongosh code uses the collMod command to update the hr.employees collection to include a validator to enforce the preceding behavior:

db.getSiblingDB("hr").runCommand({
collMod: "employees",
validator: {
$jsonSchema: {
bsonType: "object",
properties: {
age: {
encrypt: {
keyId: [UUID("e114f7ad-ad7a-4a68-81a7-ebcb9ea0953a")],
algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Random",
bsonType: "int",
},
},
name: {
encrypt: {
keyId: [UUID("33408ee9-e499-43f9-89fe-5f8533870617")],
algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
bsonType: "string",
},
},
},
},
},
});

To learn more about the encryption algorithms CSFLE supports, see Fields and Encryption Types.

To learn more about encryption schemas and encryption rules, see Encryption Schemas.

←  Encryption SchemasSupported Operations for Automatic Encryption →

On this page

Give Feedback
© 2022 MongoDB, Inc.

About

  • Careers
  • Investor Relations
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2022 MongoDB, Inc.