Docs Home → Develop Applications → MongoDB Manual

Encryption Key Management

On this page

Encryption Components

Rotate Encryption Keys Using mongosh
Supported Key Management Services
Reasons to Use a Remote KMS
Learn More

Queryable Encryption with equality queries is generally available (GA) in MongoDB 7.0. To use Queryable Encryption, upgrade MongoDB to version 7.0 with compatible drivers. The Queryable Encryption Public Preview released with MongoDB 6.0 is no longer supported, and is incompatible with the GA feature. For more information, see the MongoDB 7.0 compatibility notes.

In this guide, you can learn how to manage your encryption keys with a Key Management System (KMS) in your Queryable Encryption enabled application.

Encryption Components

MongoDB uses the following components to perform Queryable Encryption:

Data Encryption Keys (DEK)s
Customer Master Keys (CMK)s
Key Vault collections
Key Management System (KMS)

To learn more about keys and key vaults, see Keys and Key Vaults.

Rotate Encryption Keys Using mongosh

You can rotate encryption keys using the KeyVault.rewrapManyDataKey() method. The rewrapManyDataKey method automatically decrypts multiple data keys and re-encrypts them using a specified Customer Master Key. It then updates the rotated keys in the key vault collection. This method allows you to rotate encryption keys based on two optional arguments:

A query filter document used to specify which keys to rotate. If no data key matches the given filter, no keys are rotated. Omit the filter to rotate all keys in your key vault collection.
An object that represents a new CMK. Omit this object to rotate the data keys using their current CMKs.

The rewrapManyDataKey method has the following syntax:

let keyVault = db.getMongo().getKeyVault()
keyVault.rewrapManyDataKey(
   {
      "<Your custom filter>"
   },
   {
      provider: "<KMS provider>",
      masterKey: {
         "<dataKeyOpts Key>" : "<dataKeyOpts Value>"
      }
   }
)

Supported Key Management Services

Queryable Encryption supports the following Key Management System providers:

Amazon Web Services KMS
Azure Key Vault
Google Cloud KMS
Any KMIP Compliant Key Management System
Local Key Provider (for testing only)

To learn more about these providers, including diagrams that show how your application uses them to perform Queryable Encryption, see KMS Providers.

Reasons to Use a Remote KMS

Using a remote Key Management System to manage your Customer Master Key has the following advantages over using your local filesystem to host the CMK:

Secure storage of the key with access auditing
Reduced risk of access permission issues
Availability and distribution of the key to remote clients
Automated key backup and recovery
Centralized encryption key lifecycle management

Additionally, for the following KMS providers, your KMS remotely encrypts and decrypts your Data Encryption Key, ensuring your Customer Master Key is never exposed to your Queryable Encryption enabled application:

Amazon Web Services KMS
Azure Key Vault
Google Cloud KMS

Learn More

For tutorials detailing how to set up a Queryable Encryption enabled application with each of the supported KMS providers, see the following pages:

← Keys and Key Vaults

KMS Providers →