Security
Queryable Encryption. Protect your confidential workloads.
Run expressive queries on fully randomized encrypted data. Meet stringent security requirements with strong technical controls.
Protect your business by confidently storing sensitive data and meeting compliance requirements. With Queryable Encryption, now in preview, eliminate security concerns when moving workloads to managed services in the cloud.
Rich querying capabilities on encrypted data
MongoDB is the only database provider that enables processing of expressive queries on randomly encrypted data. Data is never in cleartext in the database, but MongoDB can still process queries and execute operations on the server side.
Data encrypted throughout its lifecycle
Queryable Encryption adds another layer of security for your most sensitive data, where data remains secure in-transit, at-rest, in memory, in logs, and in backups.
Strong controls for critical data privacy use cases
Strong technical controls allow customers to meet the strictest data privacy requirements for confidentiality and integrity using standards-based cryptography. Designed by our Advanced Cryptography Research Group with 20 years of experience designing peer-reviewed state-of-the-art encrypted search algorithms.
Faster application development
MongoDB has taken the complexity out of developing applications for sensitive workloads. There is no need to write special client-side query handling or be an expert in cryptography to deliver the highest levels of security with optimized performance.Feature overview
Fully randomized encryption
Secure your data and eliminate data leakage
Expressive queries on encrypted data
Next-generation rich query capabilities on fully randomized encrypted data
Client-side encryption
Data is never in cleartext — not in-transit, at-rest, in memory, in logs, or in backups
Customer-managed encryption keys
You have full control of your data encryption keys; MongoDB never has access to those keys
Industry standard cryptography primitives
Based on strong, well-vetted, standards-based cryptographic primitives like AES-256, HMAC, SHA2
Field-level encryption
Control which parts of your data need to be encrypted, down to the field level
Resources
Queryable Encryption FAQ
Help your organization with strong technical controls. Need more information?
How does Queryable Encryption work?
Queryable Encryption is designed to encrypt data from the client-side, store it as fully randomized encrypted data on the server, and allows users to run expressive queries on the encrypted data.
Queryable Encryption encrypts sensitive data from the client-side and it remains encrypted during transport, while at rest in the database, and while being processed in memory.
Queryable Encryption introduces a fast searchable cryptographic scheme that uses NIST standards-based primitives. These are well-tested and established public standards to ensure confidentiality and integrity of data. This is designed to perform queries on fully randomized encrypted data.
Queryable Encryption encrypts sensitive data from the client-side and it remains encrypted during transport, while at rest in the database, and while being processed in memory.
Queryable Encryption introduces a fast searchable cryptographic scheme that uses NIST standards-based primitives. These are well-tested and established public standards to ensure confidentiality and integrity of data. This is designed to perform queries on fully randomized encrypted data.
How do I use the preview release of Queryable Encryption and whom to contact if I have more questions?
Preview release gives you the functionality as per the feature documentation for Queryable Encryption. Since it's a preview release it is not recommended to be used in production environments as breaking changes may be introduced during the preview period. This is meant to be used for evaluation in test and development environments.
If you have any further questions, please reach out to your assigned account manager or contact sales.
If you have any further questions, please reach out to your assigned account manager or contact sales.
How does Queryable Encryption differ from Client-side Field Level Encryption?
Queryable Encryption uses Structured Encryption to add additional encrypted data structures on the server side, enabling the processing of expressive queries on fully randomized encrypted data. Since the database does the query processing, there’s no need to bring extra results back to the client or write extra application code for client-side query handling.
Client-side field level encryption provides related functionality, in that it encrypts data on the client side before inserting it into the database. Querying, however, is limited. Only equality queries are supported, and deterministic encryption must be used for equality queries to work.
Client-side field level encryption provides related functionality, in that it encrypts data on the client side before inserting it into the database. Querying, however, is limited. Only equality queries are supported, and deterministic encryption must be used for equality queries to work.
What query types are supported?
The Queryable Encryption Preview supports equality queries on fully randomized encrypted data.
Future releases will add support for range, prefix, suffix, and substring query types.
Future releases will add support for range, prefix, suffix, and substring query types.
What drivers are supported and where can developers download them?
Refer to the documentation for current driver support.
How does Queryable Encryption help with minimizing the attack surface?
First, data is encrypted on the client-side, and is never resident in the database in cleartext. This means that even privileged attackers — e.g., employees with database access — will only be able to access the ciphertext in the database, as long as they don’t have encryption key access.
Second, queryable encryption uses fully randomized encryption to secure data. This means the same plaintext encrypts to a different ciphertext every time the data is encrypted. This makes it difficult for an adversary to learn patterns and infer values, hence minimizing the attack surface for adversaries to exploit.
Second, queryable encryption uses fully randomized encryption to secure data. This means the same plaintext encrypts to a different ciphertext every time the data is encrypted. This makes it difficult for an adversary to learn patterns and infer values, hence minimizing the attack surface for adversaries to exploit.
What versions of MongoDB support Queryable Encryption?
As long as you are running MongoDB 6.0 and above with supported drivers, you can use Queryable Encryption:
One difference is when you choose to use Queryable Encryption, is that MongoDB Atlas and MongoDB Enterprise version support automatic encryption of fields in read and write operations, while the community version requires the explicit encryption of fields in application code. The core cryptography libraries themselves are identical.
At what levels can I encrypt data?
Queryable encryption is highly flexible. You can selectively encrypt individual fields within a document, a subdocument, or the entire document. Each field is secured with its own key and is decrypted seamlessly on the client.
Get started with Queryable Encryption today
Take the complexity out of developing applications with sensitive workloads.
PROTECT YOUR SENSITIVE WORKLOADS:
- Randomized encrypted data
- Expressive queries
- Faster development
- Strong technical controls
- Reduce institutional risk
- Data Privacy mandates