Event
{Event}  Unlock the power of AI together with AWS and MongoDB – Join us at AWS re:Invent 2023 Nov 27 - Dec 1

MONGODB SECURITY

MongoDB Data Encryption

MongoDB offers robust encryption features to protect data while in-transit, at-rest, and in-use — providing encryption of your data through its full lifecycle.
Get Started
MongoDB Security Hub
Encryption in-transit

MongoDB Enterprise Advanced supports encryption in-transit using Transport Layer Security (TLS).

In Atlas, all network traffic to MongoDB clusters is protected by TLS by default. TLS cannot be disabled and the default version is TLS v1.2. Data that is transmitted to MongoDB clusters, as well as data transmitted between nodes of your MongoDB clusters, is encrypted in-transit using TLS.

Learn more about Encryption In-Transit →

Encryption at-rest

Encryption at-rest is a database-level protection layer to guarantee that the written files and data are encrypted while stored. MongoDB Enterprise Advanced (EA) has implemented the at-rest encryption in WiredTiger, the database storage engine, using AES-256. You can configure at-rest encryption in MongoDB EA with a KMIP-enabled key provider.

In Atlas, customer data is encrypted at-rest by default using AES-256 to secure all volume (disk) data. The process is automated by the transparent disk encryption of your selected cloud provider, and the cloud provider fully manages the encryption keys. You may also choose to enable database-level encryption, which allows you to bring your own encryption keys in AWS Key Management Service (KMS), Google Cloud KMS, or Azure Key Vault.

Encryption At-Rest → MongoDB Enterprise and MongoDB Atlas

In-Use Encryption

Data is encrypted client-side with customer-controlled encryption keys, before being sent, stored, or retrieved from the database. The benefits of this approach are:

  • Data encrypted throughout its lifecycle
    The strongest technical control to ensure that data always remains encrypted in-use, in backups, at-rest, and in-transit.

  • Faster application development cycle
    MongoDB takes the complexity out of developing applications for sensitive workloads. Developers don’t have to be security or cryptography experts to build encryption into their applications.

  • Address critical data privacy use cases
    Helps customers meet strict data privacy requirements such as HIPAA, GDPR, PCI, CCPA and more.

MongoDB has two features for encryption in-use to meet your data protection needs.

Client-Side Field Level Encryption

Client-Side Field Level Encryption (CSFLE) is an in-use encryption capability that enables a client application to encrypt sensitive data before storing it in the MongoDB database. Sensitive data is transparently encrypted, remains encrypted throughout its lifecycle, and is only decrypted on the client side.

Learn more → Client-Side Field Level Encryption

Queryable Encryption

Queryable Encryption is an in-use encryption capability that enables an application to encrypt sensitive data from the client-side, store the encrypted data in the MongoDB database, and run expressive queries on the encrypted data.

Additional benefits you can get with Queryable Encryption:

  • Groundbreaking technology
    Queryable Encryption introduces a first-in-industry fast encrypted search algorithm using NIST standards-based primitives such as AES-256, SHA2, and HMACs. It is designed by the pioneers of encrypted search with decades of research and experience in cryptography.

  • Rich querying capabilities on encrypted data
    Data can be queried using equality matches (generally available) with range, prefix, suffix, and substring query capabilities planned.

Learn more → Queryable Encryption

Queryable Encryption: Sample flow of operations to fetch records for a given SSN
Resources
mdb_querying_encrypted_data

Queryable Encryption is generally available

Details on Queryable Encryption technology and customer benefits.

cloud_managed

Encryption at-rest in Atlas using customer key management

Configure encryption at-rest with your encryption keys using AWS KMS, Google Cloud KMS, Azure Key Vault.

general_security_encrypted_storage

Encryption at-rest (Enterprise)

Learn more about the encryption process and how to configure encryption at-rest.

general_security_encryption

Client-Side Field Level Encryption

Learn more about how to encrypt sensitive fields from the client side, how to use MongoDB drivers and more.

general_content_collaborate

Cryptography Research Group

Read about the cutting-edge research and latest innovations in cryptography and privacy.

general_content_white_paper

Queryable Encryption Technical paper

A deeper look at Queryable Encryption, its design goals, threat models, and security guarantees.

general_content_ebook

Why Queryable Encryption matters

Learn more about why Queryable Encrption matters to developers, security teams and IT decision makers.

general_security_privacy

Protect your data with MongoDB’s In-Use encryption

Learn about how MongoDB’s in-use encryption solutions helps customers to protect their data.

FAQ

Help your organization with strong technical controls. Need more information?
Contact us
How does In-Use Encryption compare with in-transit and at-rest encryption?

In-Use Encryption is best applied selectively to those fields of your documents that you classify as containing the most sensitive data, such as PII or PHI

Using Client-Side FLE or Queryable Encryption alongside in-transit and at-rest encryption provides encryption of data throughout its lifecycle, using complementary approaches that provide a defense-in-depth security posture to address different threat models.

  • In-transit encryption protects all data traversing the network but does not encrypt data in-use or at-rest.
  • At-rest encryption protects all stored data but does not encrypt data in-use or in-transit.
  • With in-use encryption, your most sensitive data never leaves your application in plaintext. Fields that are encrypted client-side cannot be decrypted by the server and remain encrypted in-transit, at-rest, and in-use even as queries are being processed.
Do the customer provided encryption keys used for Atlas at-rest encryption need to be stored in the same cloud provider as the data is?

Your encryption keys can be stored in any cloud provider of your choosing and do not need to be in the same cloud provider as your data. For example, you can store your data in Azure but have your encryption keys in AWS KMS, or have your data in AWS but your keys in GCP Cloud KMS. This approach applies both to at-rest encryption and in-use encryption capabilities.

For more information, refer to our documentation
Can I use cloud-provider KMS for Encryption at-rest with MongoDB Enterprise?
MongoDB Enterprise supports KMIP-enabled key providers for encryption at-rest. Cloud-provided KMS (Key Management Systems) is not supported.
For more details refer to the documentation
How does Queryable Encryption differ from Client-Side Field Level Encryption?

Queryable Encryption uses a fast encrypted search algorithmn to add additional encrypted data structures on the server side, enabling the processing of expressive queries on encrypted data. Since the database does the query processing, there’s no need to bring extra results back to the client or write additional application code for client-side query handling.

Client-Side Field Level Encryption provides related functionality, in that it encrypts data on the client side before inserting it into the database. Querying is limited to equality queries and deterministic encryption must be used for equality.

For more information, refer to our documentation
What query types are supported with Queryable Encryption?

The Queryable Encryption supports equality queries on encrypted data as of the 7.0 release

Future releases will support range, prefix, suffix, and substring query types.