CSFLE Server-Side Schema Enforcement

Queryable Encryption is generally available (GA) in MongoDB 7.0. To learn more, see Queryable Encryption.

This version of the documentation is archived and no longer supported. To upgrade your 6.0 deployment, see the MongoDB 7.0 upgrade procedures.

In Client-Side Field Level Encryption (CSFLE)-enabled client applications, you can use schema validation to have your MongoDB instance enforce encryption of specific fields. To specify which fields require encryption, use the automatic encryption rule keywords with the $jsonSchema validation object. The server rejects any write operations to that collection where the specified fields are not Binary (BinData) subtype 6 objects.

To learn how a CSFLE-enabled client configured to use automatic encryption behaves when it encounters a server-side schema, see Server-Side Field Level Encryption Enforcement.

To learn how a CSFLE-enabled client configured to use explicit encryption behaves when it encounters a server-side schema, see Server-Side Field Level Encryption Enforcement.

Example

Consider an hr database with an employees collection. Documents in the employees collection have the following form:

{
  "name": "Jane Doe",
  "age": 51
}

You want to enforce the following behavior for client applications using your collection:

When encrypting the age field, clients must follow these encryption rules:
- Use the Data Encryption Key with an _id of UUID("e114f7ad-ad7a-4a68-81a7-ebcb9ea0953a").
- Use the randomized encryption algorithm.
- The age field must be an integer.
When encrypting the name field, clients must follow these encryption rules:
- Use the Data Encryption Key with an _id of UUID("33408ee9-e499-43f9-89fe-5f8533870617").
- Use the deterministic encryption algorithm.
- The name field must be a string.

The following mongosh code uses the collMod command to update the hr.employees collection to include a validator to enforce the preceding behavior:

db.getSiblingDB("hr").runCommand({
  collMod: "employees",
  validator: {
    $jsonSchema: {
      bsonType: "object",
      properties: {
        age: {
          encrypt: {
            keyId: [UUID("e114f7ad-ad7a-4a68-81a7-ebcb9ea0953a")],
            algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Random",
            bsonType: "int",
          },
        },
        name: {
          encrypt: {
            keyId: [UUID("33408ee9-e499-43f9-89fe-5f8533870617")],
            algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
            bsonType: "string",
          },
        },
      },
    },
  },
});

Learn More

To learn more about the encryption algorithms CSFLE supports, see Fields and Encryption Types.

To learn more about encryption schemas and encryption rules, see CSFLE Encryption Schemas.

Back

Schemas

Supported Operations