Create an Encryption Schema

Create the encryption schema.

Include an encryptedFieldsObject with a nested fields array:

const encryptedFieldsObject = {
   fields: []
}

Specify fields to encrypt.

1. Add the path and bsonType strings to a document within the fields array:

   const encryptedFieldsObject = {
      fields: [
         {
            path: "myDocumentField",
            bsonType: "int"
         }
      ]
   }

   Important

   You can specify any field for encryption except the _id field.

2. Optionally, set a keyId field with the DEK ID.

   Important

   Key IDs must be unique, otherwise the server returns an error.

   By configuring AutoEncryptionSettings on the client, you can use the createEncryptedCollection helper method to create keys automatically.

   {
      path: "myDocumentField",
      bsonType: "int",
      keyId: "<unique data encryption key>"
   }

Enable equality queries on desired fields.

This enables querying with the $eq, $ne, $in, and $nin operators.

Add the queries object and set queryType to "equality":

{
   path: "myDocumentField",
   bsonType: "int",
   queries: { queryType: "equality" }
}

Enable range queries on desired fields.

This enables querying with the $lt, $lte, $gt, and $gte operators.

For details on how the following options affect security and performance, see Configure Encrypted Fields for Optimal Search and Storage.

1. Add the queries object and set queryType to "range":

   {
      path: "myDocumentRangeField",
      bsonType: "int",
      queries: { queryType: "range" }
   }

2. Set the following fields:

   Field	Type	Description
   min and max	Same as field bsonType	Required if bsonType is decimal or double. Optional but highly recommended if it is int, long, or date. Defaults to the minimum and maximum values of the bsonType. When possible, specifying bounds on a query improves performance. If querying values outside of these inclusive bounds, MongoDB returns an error.

   {
      path: "myDocumentRangeField",
      bsonType: "int",
      queries: { queryType: "range",
                 min: 0,
                 max: 1200
      }
   }

Enable prefix, suffix, or substring queries on desired fields.

These query types are for string fields only. You can enable both prefixPreview and suffixPreview on the same field, but can't enable either if using substringPreview.

• prefixPreview queries enable the $encStrStartsWith and $encStrNormalizedEq aggregation expressions.

• suffixPreview queries enable the $encStrEndsWith and $encStrNormalizedEq aggregation expressions.

• substringPreview queries enable the $encStrContains and $encStrNormalizedEq aggregation expressions.

1. Add the queries object and set queryType to "prefixPreview", "suffixPreview", or "substringPreview":

   {
      path: "myDocumentStringField",
      bsonType: "string",
      queries: { queryType: "substringPreview" }
   }

2. Set the following fields.

   For details on how they affect security and performance, see Configure Encrypted Fields for Optimal Search and Storage.

   Field	Type	Description
   strMaxLength	integer	substringPreview queries only. The maximum allowed length for a substring-indexed field.
   strMinQueryLength	integer	The minimum allowed prefix/suffix/substring length to query.
   strMaxQueryLength	integer	The maximum allowed prefix/suffix/substring length to query. IMPORTANT: This setting strongly impacts query performance. Limit it whenever possible.
   caseSensitive	Boolean	Optional. Whether queries are case-sensitive. Defaults to true.
   diacriticSensitive	Boolean	Optional. Whether queries are diacritic-sensitive. Defaults to true.

   {
      path: "myDocumentStringField",
      bsonType: "string",
      queries: {
         "queryType": "substringPreview",
         "strMaxLength": 30,
         "strMinQueryLength": 1,
         "strMaxQueryLength": 20,
         "caseSensitive": false
      }
   }