On this page
- Atlas Search
- MongoDB Support Limitations
- Contention Factor
- Manual Metadata Collection Compaction
- encryptedFieldsMap Modification
- Read and Write Operation Support
- Query Log and Database Profiler Redaction
- Command and Aggregation Stage Output Redaction
- Topology Support
- Drop Collection
- Create Collection
- Query Types
- Encrypted Field Names
- Unique Indexes
- The _id Field
- Read/Write Query Support
Consider these limitations and restrictions before enabling Queryable Encryption. Some operations are unsupported, and others behave differently.
Queryable Encryption is incompatible with MongoDB Atlas Search.
Enabling Queryable Encryption on a collection redacts fields from some diagnostic commands and omits some operations from the query log. This limits the data available to MongoDB support engineers, especially when analyzing query performance. To measure the impact of operations against encrypted collections, use a third party application performance monitoring tool to collect metrics.
For details, see the Redaction section.
Contention factor is a setting that helps tune performance based on the number of concurrent connections.
You can set the contention factor only when specifying a field for encryption.
Once you specify a field for encryption, the contention factor is immutable. If
you don't specify the contention factor, it uses the default value of
Manually run metadata collection compaction when your metadata collections exceed 1 GB. Compaction decreases the size of the metadata collections associated with encrypted fields, and improves performance.
Do not modify the
encryptedFieldsMap passed to your
MongoClient. Doing so can
result in unexpected and incorrect behavior when querying.
mongod only stores encrypted
BinData and applies any aggregation expression or query operator
specifying an encrypted field against the
BinData value. While the
expression or operator may support
BinData fields, the resulting
value may be incorrect or unexpected when compared to issuing that same
expression or operator against the decrypted value. The
throws an error if the expression or operator does not support
To improve security, Queryable Encryption redacts fields from some diagnostic commands on encrypted collections, and omits certain operations
from the query log. An encrypted collection is any collection with the
"WiredTiger", if present, to include only the
Omit all fields after
"command"to include only the first element,
top command only returns the collection name of
$planCacheStats aggregation stage omits
operations against encrypted collections, even though the operations are cached as normal.
Replica sets and sharded clusters are supported
Standalone deployments are not supported
Secondary reads are not supported
Metadata collections must not be sharded
Shard keys must not be encrypted fields
For sharded cluster transactions that use Queryable Encryption, you must set readConcern to
Queryable Encryption does not support batch operations. The following operations are not supported:
Queryable Encryption limits
fieldsis not allowed
newmust be false
When performing an upsert operation, any encrypted fields in the filter are excluded from the insert.
You cannot use Client-Side Field Level Encryption with Queryable Encryption on the same collection.
Queryable Encryption does not support migration from collections encrypted with Client-Side Field Level Encryption. You must decrypt your documents and insert them one-by-one.
Queryable Encryption does not support automatic migration from an unencrypted collection. You must insert the documents one-by-one.
Queryable Encryption supports new collections only. You cannot add or remove Queryable Encryption to existing collections.
You cannot rename a collection with encrypted fields.
You cannot specify
db.createCollection()when creating a Queryable Encryption collection if the
You cannot disable
When a collection uses the
You cannot set
You cannot set
Dropping collections from a
MongoClientthat is not configured for Queryable Encryption doesn't drop the associated metadata collections.
mongodlogs a warning if you drop a collection with encrypted fields before dropping the metadata collections.
When dropping a collection with a
MongoClient configured for
Queryable Encryption, compatible drivers drop the associated metadata
collections as well.
Always explicitly create any collections that use Queryable Encryption. Implicit collection creation doesn't create the necessary indexes and metadata collections, resulting in poor query performance.
The query type you specify for a field when creating the collection in
encryptedFieldsMap is immutable. You cannot add new query types to an existing field,
and you cannot change the existing query type.
Encrypted field names are immutable. For example, if you specify
as a field to encrypt, you cannot
$rename the field name to
Applications cannot rely on the automatic encryption validation to prevent unsupported queries against views on collections with encrypted fields.
Queries against views on collections containing values encrypted with Queryable Encryption may return unexpected or incorrect results if either the underlying view aggregation pipeline or the query references encrypted fields. If creating a view on a collection containing values encrypted with Queryable Encryption, avoid operating on encrypted fields to mitigate the risk of unexpected or incorrect results.
For more information on views, see views.
Queryable Encryption ignores user-specified collations or collection default collations. Encryption obscures the field value and prevents normal collation behavior. Collation-sensitive queries against encrypted fields may return unexpected or incorrect results.
For more information on collations, see Collation Document.
Queryable Encryption-compatible drivers have a list of supported operations for automatic encryption. For unsupported read and write operations, the underlying support library cannot introspect the collection catalog to identify the default collation. Applications therefore cannot rely on the Queryable Encryption validation to prevent querying on encrypted fields with collation defaults.
Unique indexes can't guarantee uniqueness if the index key specifies any encrypted fields.
Queryable Encryption always outputs a different encrypted value, even for the same input. The server considers each encrypted value unique, even though the decrypted value may not be. This means that even if a collection uses an index-enforced unique constraint on fields, the collection can still contain multiple documents with duplicate plaintext values for that field.
Queryable Encryption compatible drivers configured for automatic encryption support some operations for automatic encryption. For unsupported read and write operations, the underlying library can't introspect the index catalog to identify a given field as unique. Applications can't rely on automatic encryption validation to prevent unique constraint violations on randomly-encrypted fields.
You cannot configure Queryable Encryption to encrypt the
_id field because it relies on
the value auto-generated by MongoDB.
Automatic encryption supports a subset of commands, query operators, update operators, aggregation stages, and aggregation expressions. For the list of supported operations, see Supported Operations for Automatic Encryption.