LAUNCHMongoDB 8.3 is built for the sub-100ms retrieval & zero downtime AI demands. Read blog >

AI DATAStop fighting your data layer. Get the memory & retrieval agents need to scale. Read blog >

MONGODB SECURITY

MongoDB Data Encryption

Protect data in transit, at rest, and in use with MongoDB’s robust encryption, supporting security across the entire data lifecycle.

Get Started

MongoDB Security Hub

Encryption in transit

Encryption in transit protects data as it moves between clients, applications, and database servers, preventing unauthorized access or tampering. In MongoDB Atlas, all network traffic is automatically encrypted using Transport Layer Security (TLS), enabled by default and required for every connection. The current default is TLS 1.2. Communication between Atlas cluster nodes is also secured with TLS to ensure data remains protected at every step.

MongoDB Enterprise Advanced also supports encryption in transit using TLS.

Learn more about Encryption in Transit →

Encryption at rest

Encryption at rest protects stored data by encrypting database files on disk, adding a critical layer of defense. In MongoDB Atlas, all customer data is automatically encrypted at rest with AES-256, leveraging the cloud provider’s native disk encryption and key management. Atlas also supports database-level encryption with customer-managed keys through AWS Key Management Service (KMS), Google Cloud KMS, or Azure Key Vault.

MongoDB Enterprise Advanced provides at-rest encryption through the WiredTiger storage engine with AES-256, configurable with a KMIP-compliant key management provider.

Encryption at Rest → MongoDB Enterprise Advanced and MongoDB Atlas

Encryption in use with Queryable Encryption

Encryption in use protects sensitive data while it is actively being processed by the database. This enables information to remain secure throughout its entire lifecycle beyond encryption at rest and in transit. MongoDB delivers this capability through Queryable Encryption, a groundbreaking, industry-first in-use encryption technology.

Queryable Encryption enables customers to encrypt sensitive application data, store it securely in an encrypted state in MongoDB, and perform expressive queries directly on the encrypted data. Prefix, suffix, and substring queries are supported in public preview, in addition to equality and range.

With Queryable Encryption, organizations can perform flexible text searches on encrypted data, such as matching partial names, keywords, or identifiers, without ever exposing the underlying information. Other key benefits include:

Stronger data protection: Keep sensitive data encrypted during queries, reducing the risk of exposure and minimizing reputational or financial impact from security incidents.
Enhanced regulatory compliance: Maintain encryption across the entire data lifecycle to help meet requirements such as GDPR and HIPAA, avoiding fines and strengthening customer trust.
Improved operational efficiency: Protect data without relying on custom search solutions or external tools, reducing infrastructure complexity while maintaining application performance.
Seamless developer experience: Queryable Encryption integrates natively into MongoDB’s query language, enabling advanced encrypted search without the need to rewrite application code.
Integrated protection: Included with MongoDB at no additional cost, providing built-in encryption without requiring third-party solutions.

Learn more –> Queryable Encryption

Resources

Cryptography Research Group

Read about cutting-edge research and the latest innovations in cryptography and encrypted search.

Learn more

Advancing Encryption in MongoDB Atlas

Read about how MongoDB secures data at rest with customer-managed keys and in transit with TLS.

Read the blog post

Encryption at rest in Atlas using customer key management

Configure encryption at rest with your encryption keys using AWS KMS, Google Cloud KMS, and Azure Key Vault.

Read the documentation

Queryable Encryption Technical Paper

Take a deeper look at Queryable Encryption, its design goals, threat models, and security guarantees.

Download Paper

Queryable Encryption Datasheet

Learn more about how Queryable Encryption enables expressive queries on encrypted data.

Read the datasheet

Client-Side Field-Level Encryption

Learn more about how to encrypt sensitive fields from the client side before you send it over the network to MongoDB.

Read the documentation

FAQ

In-use encryption extends protection beyond encryption in transit and at rest by keeping sensitive data encrypted even while it is being queried and processed. With MongoDB Queryable Encryption, data is encrypted on the client side using customer-managed keys before it ever reaches the database. Encrypted fields cannot be decrypted by the server and will remain protected in transit, at rest, and in use, including during query execution.

By comparison, in-transit encryption protects data as it travels over the network but does not secure it once stored or processed. At-rest encryption protects stored data on disk but does not secure it while in transit or during queries. Queryable Encryption complements both by ensuring that the most sensitive fields, such as PII or PHI, never leave the application in plaintext, delivering end-to-end protection across the entire data lifecycle.

Your encryption keys can be stored in any cloud provider of your choice and do not need to be in the same cloud provider as your data. For example, you can store your data in Azure but have your encryption keys in AWS KMS, or have your data in AWS but your keys in Google Cloud KMS. This approach applies both to at-rest encryption and in-use encryption capabilities.

MongoDB Enterprise Advanced supports KMIP-enabled key providers for encryption at rest. Cloud-provided KMS (Key Management Systems) is not supported.

Refer to the documentation

Queryable Encryption uses a fast encrypted search algorithm to add additional encrypted data structures on the server side, enabling the processing of equality,range, prefix, suffix, and substring queries on encrypted data. Since the database does the query processing, there’s no need to bring extra results back to the client or write additional application code for client-side query handling.

Client-Side Field-Level Encryption provides related functionality, in that it encrypts data on the client side before inserting it into the database. Querying is limited to equality queries and deterministic encryption must be used for equality.

For more information, refer to our documentation

Queryable Encryption supports equality and range queries, as well as prefix, suffix, and substring queries in public preview on encrypted data as of the 8.2 release.

MongoDB Data Encryption

Encryption in transit

Encryption at rest

Encryption in use with Queryable Encryption

Resources

Cryptography Research Group

Advancing Encryption in MongoDB Atlas

Encryption at rest in Atlas using customer key management

Queryable Encryption Technical Paper

Queryable Encryption Datasheet

Client-Side Field-Level Encryption

FAQ

How does in-use encryption compare with in-transit and at rest encryption?

Do the customer-provided encryption keys used for Atlas at-rest encryption need to be stored in the same cloud provider as the data?

Can I use cloud-provider KMS for encryption at rest with MongoDB Enterprise Advanced?

How does Queryable Encryption differ from Client-Side Field-Level Encryption?

What query types are supported with Queryable Encryption?