About this Task
To make encrypted fields queryable, create an encryption schema. This schema defines which fields are queryable, and which query types are permitted. For more information, see Encrypted Fields and Enabled Queries.
Important
Queryable Encryption supports equality and range queries. You can configure a field for only one query type.
Before you Begin
When you make encrypted fields queryable, consider performance and security. For details on how each configuration option affects these, see Configure Encrypted Fields for Optimal Search and Storage.
Steps
Specify fields to encrypt.
Add the
pathandbsonTypestrings to a document within the fields array:const encryptedFieldsObject = { fields: [ { path: "myDocumentField", bsonType: "int" } ] } Important
You can specify any field for encryption except the
_idfield.If you are using explicit encryption, add a
keyIdfield with the DEK ID:{ path: "myDocumentField", bsonType: "int", keyId: "<unique data encryption key>" } Tip
With Automatic Encryption, MongoDB creates encryption keys for each field. You configure
AutoEncryptionSettingson the client, then use thecreateEncryptedCollectionhelper method to create your collections.
Enable range queries on desired fields.
This enables querying with the $lt, $lte, $gt, and $gte operators.
For details on how the following options affect security and performance, see Configure Encrypted Fields for Optimal Search and Storage.
Add the
queriesobject and setqueryTypeto"range":{ path: "myDocumentRangeField", bsonType: "int", queries: { queryType: "range" } } Set the following fields:
FieldTypeDescriptionSame as field
bsonTypeRequired if
bsonTypeisdecimalordouble. Optional but highly recommended if it isint,long, ordate. Defaults to the minimum and maximum values of thebsonType.When possible, specifying bounds on a query improves performance. If querying values outside of these inclusive bounds, MongoDB returns an error.
{ path: "myDocumentRangeField", bsonType: "int", queries: { queryType: "range", min: 0, max: 1200 } }
Example
This example shows how to create an encryption schema for hospital data.
Consider the following document that contains personally identifiable information (PII), credit card information, and sensitive medical information:
{ "firstName": "Jon", "lastName": "Snow", "patientId": 12345187, "address": "123 Cherry Ave", "medications": [ "Adderall", "Lipitor" ], "patientInfo": { "ssn": "921-12-1234", "billing": { "type": "visa", "number": "1234-1234-1234-1234" } } }
To ensure the PII and sensitive medical information stays secure, this encryption schema adds the relevant fields:
const encryptedFieldsObject = { fields: [ { path: "patientId", bsonType: "int" }, { path: "patientInfo.ssn", bsonType: "string" }, { path: "medications", bsonType: "array" }, { path: "patientInfo.billing", bsonType: "object" } ] }
Adding the queries property makes the patientId and
patientInfo.ssn fields queryable. This example enables equality queries:
const encryptedFieldsObject = { fields: [ { path: "patientId", bsonType: "int", queries: { queryType: "equality" } }, { path: "patientInfo.ssn", bsonType: "string", queries: { queryType: "equality" } }, { path: "medications", bsonType: "array" }, { path: "patientInfo.billing", bsonType: "object" }, ] }