BlogAnnounced at MongoDB.local NYC 2024: A recap of all announcements and updates — Learn more >


MongoDB Data Encryption

MongoDB offers robust encryption features to protect data while in-transit, at-rest, and in-use — providing encryption of your data through its full lifecycle.

Get Started
MongoDB Security Hub

Encryption in-transit

MongoDB Enterprise Advanced supports encryption in-transit using Transport Layer Security (TLS).

In Atlas, all network traffic to MongoDB clusters is protected by TLS by default. TLS cannot be disabled and the default version is TLS v1.2. Data that is transmitted to MongoDB clusters, as well as data transmitted between nodes of your MongoDB clusters, is encrypted in-transit using TLS.

Learn more about Encryption In-Transit →

Encryption at-rest

Encryption at-rest is a database-level protection layer to guarantee that the written files and data are encrypted while stored. MongoDB Enterprise Advanced (EA) has implemented the at-rest encryption in WiredTiger, the database storage engine, using AES-256. You can configure at-rest encryption in MongoDB EA with a KMIP-enabled key provider.

In Atlas, customer data is encrypted at-rest by default using AES-256 to secure all volume (disk) data. The process is automated by the transparent disk encryption of your selected cloud provider, and the cloud provider fully manages the encryption keys. You may also choose to enable database-level encryption, which allows you to bring your own encryption keys in AWS Key Management Service (KMS), Google Cloud KMS, or Azure Key Vault.

Encryption At-Rest → MongoDB Enterprise and MongoDB Atlas

In-Use Encryption

Data is encrypted client-side with customer-controlled encryption keys, before being sent, stored, or retrieved from the database. The benefits of this approach are:

  • Data encrypted throughout its lifecycle
    The strongest technical control to ensure that data always remains encrypted in-use, in backups, at-rest, and in-transit.
  • Faster application development cycle
    MongoDB takes the complexity out of developing applications for sensitive workloads. Developers don’t have to be security or cryptography experts to build encryption into their applications.
  • Address critical data privacy use cases
    Helps customers meet strict data privacy requirements such as HIPAA, GDPR, PCI, CCPA and more.

MongoDB has two features for encryption in-use to meet your data protection needs.

Client-Side Field Level Encryption

Client-Side Field Level Encryption (CSFLE) is an in-use encryption capability that enables a client application to encrypt sensitive data before storing it in the MongoDB database. Sensitive data is transparently encrypted, remains encrypted throughout its lifecycle, and is only decrypted on the client side.

Learn more → Client-Side Field Level Encryption

Queryable Encryption

Queryable Encryption is an in-use encryption capability that enables an application to encrypt sensitive data from the client-side, store the encrypted data in the MongoDB database, and run expressive queries on the encrypted data.

Additional benefits you can get with Queryable Encryption:

Learn more → Queryable Encryption


Queryable Encryption: Sample flow of operations to fetch records for a given SSN



Help your organization with strong technical controls. Need more information?
Contact Us