Queryable Encryption

Queryable Encryption with equality queries is generally available (GA) in MongoDB 7.0 and later. The Queryable Encryption Public Preview, released in version 6.0, is no longer supported. Data encrypted using the Public Preview is incompatible with the feature release. For more information, see Compatibility Changes in MongoDB 7.0.

Introduction

Queryable Encryption lets you perform the following tasks:

Encrypt sensitive data fields from the client-side.
Store sensitive data fields as fully randomized encrypted data on the database server-side.
Run expressive queries on the encrypted data.

The server has no knowledge of the data it processes.

Sensitive data is encrypted throughout its lifecycle: in-transit, at-rest, in-use, in logs, and in backups. Data is decrypted only on the client-side, since only you have access to the encryption keys.

Queryable Encryption introduces an industry-first, fast, searchable encryption scheme developed by the pioneers in encrypted search. The feature supports equality and range searches, with additional query types such as prefix, suffix, and substring available in Public Preview.

You can set up Queryable Encryption using the following mechanisms:

Automatic Encryption: Enables you to perform encrypted read and write operations without adding explicit calls to encrypt and decrypt fields.
Explicit Encryption: Enables you to perform encrypted read and write operations through your MongoDB driver's encryption library. You must specify the logic for encryption with this library throughout your application.

Considerations

When implementing an application that uses Queryable Encryption, consider the points listed in Security Considerations.

For limitations, see Queryable Encryption limitations.

Compatibility

The following table shows which MongoDB server products support which Queryable Encryption mechanisms:

Product Name	Supports Automatic Encryption	Supports Explicit Encryption
MongoDB Atlas	Yes	Yes
MongoDB Enterprise Advanced	Yes	Yes
MongoDB Community Edition	No	Yes

To learn which MongoDB drivers support Queryable Encryption, see Queryable Encryption Compatibility.

MongoDB Support Limitations

Enabling Queryable Encryption on a collection redacts fields from some diagnostic commands and omits some operations from the query log. This limits the data available to MongoDB support engineers, especially when analyzing query performance. To measure the impact of operations against encrypted collections, use a third party application performance monitoring tool to collect metrics.

For details, see Redaction.

Features

To learn about the security benefits of Queryable Encryption for your applications, see the Queryable Encryption Features page.

Install

To learn what you must install to use Queryable Encryption, see the Installation Requirements page.

Quick Start

To start using Queryable Encryption, see the Queryable Encryption Quick Start.

Fundamentals

To learn how Queryable Encryption works and how to set it up, see the Queryable Encryption Fundamentals section.

The fundamentals section contains the following pages:

Tutorials

To learn how to perform specific tasks with Queryable Encryption, see the Queryable Encryption Tutorials section.

Reference

For reference, see the Queryable Encryption Reference section.

The reference section contains the following pages:

Back

In-Use Encryption

Features