Install and Configure a Queryable Encryption Library

On this page

Before You Start

Choose a Library
Procedure
Next Steps

Queryable Encryption with equality queries is generally available (GA) in MongoDB 7.0 and later. The Queryable Encryption Public Preview, released in version 6.0, is no longer supported. Data encrypted using the Public Preview is incompatible with the feature release. For more information, see Compatibility Changes in MongoDB 7.0.

MongoDB uses one of two libraries for translating queries into encrypted queries, and for encrypting and decrypting data. The latest is the Automatic Encryption Shared Library.

Before You Start

Follow the preceding tasks to install a Queryable Encryption compatible driver and dependencies before continuing.

Choose a Library

Automatic Encryption Shared Library

The Automatic Encryption Shared Library is a dynamic library that enables your client application to perform automatic encryption. A dynamic library is a set of functionality accessed by an application at runtime rather than compile time. The Automatic Encryption Shared Library performs the following tasks:

Reads the encryption schema to determine which fields to encrypt or decrypt
Prevents your application from executing unsupported operations on encrypted fields

The Automatic Encryption Shared Library does not do any of the following:

Perform data encryption or decryption
Access the encryption key material
Listen for data over the network

The Automatic Encryption Shared Library is a preferred alternative to mongocryptd and doesn't require you to start another process to perform automatic encryption.

mongocryptd

Important

Use the Automatic Encryption Shared Library

If you are starting a new project, use the Automatic Encryption Shared Library. The Automatic Encryption Shared Library replaces mongocryptd and does not require you to start a new process.

mongocryptd is installed with MongoDB Enterprise Server.

When you create a MongoDB client with In-Use Encryption, the mongocryptd process starts automatically by default.

The mongocryptd process:

Uses the specified automatic encryption rules to mark fields in read and write operations for encryption.
Prevents unsupported operations from executing on encrypted fields.
Parses the encryption schema specified for the database connection. Automatic encryption rules use a strict subset of JSON schema syntax. If the rules contain invalid automatic encryption syntax or any document validation syntax, mongocryptd returns an error.

mongocryptd only performs the previous functions, and doesn't perform any of the following:

mongocryptd doesn't perform encryption or decryption
mongocryptd doesn't access any encryption key material
mongocryptd doesn't listen over the network

To perform field encryption and automatic decryption, the drivers use the Apache-licensed libmongocrypt library.

Procedure

Next Steps

After installing a library, create a Customer Master Key in your Key Management System of choice.

← Install libmongocrypt

Create a Customer Master Key →