On this page
The following diagram illustrates the relationships between a MongoDB
mongosh and each component of Client-Side Field Level Encryption
The following sections discuss the individual components of the preceding diagram.
libmongocrypt is the Apache-licensed open-source core cryptography
library used by the official MongoDB 4.2+ compatible drivers and
mongosh to power Client-Side Field Level Encryption.
Some drivers may require specific integration steps to install or link
To view steps for installing
see the libmongocrypt reference page.
mongocryptd supports automatic encryption and is only available
with MongoDB Enterprise.
mongocryptd does not perform
To learn more about
Install and Configure mongocryptd for CSFLE.
The Key Vault collection is a standard MongoDB collection that stores all Data Encryption Keys used to encrypt application data. Data Encryption Keys are themselves encrypted using a Customer Master Key (CMK) prior to storage in the Key Vault collection. You can host your Key Vault collection on a different MongoDB cluster than the cluster storing your encrypted application data.
To learn more about the Key Vault collection, see Keys and Key Vaults.
The Key Management System (KMS) stores the Customer Master Key (CMK) used to encrypt Data Encryption Keys.
To view a list of all KMS providers MongoDB supports, see CSFLE KMS Providers.
The MongoDB cluster which stores the encrypted data may also enforce Client-Side Field Level Encryption. For more information on server-side schema enforcement, see CSFLE Server-Side Schema Enforcement.