Blog
{Blog}  See what’s new with MongoDB 6.0 — and why you’ll want to upgrade today >>

Security

Queryable Encryption. Protect your confidential workloads.

Run expressive queries on fully randomized encrypted data. Meet stringent security requirements with strong technical controls.
Try Preview
Contact sales
Illustration of arms typing on computer and screen display with lock
Protect your business by confidently storing sensitive data and meeting compliance requirements. With Queryable Encryption, now in preview, eliminate security concerns when moving workloads to managed services in the cloud.
Illustration of lock and documents

Rich querying capabilities on encrypted data

MongoDB is the only database provider that enables processing of expressive queries on randomly encrypted data. Data is never in cleartext in the database, but MongoDB can still process queries and execute operations on the server side.
Illustration of a database with locked documents

Data encrypted throughout its lifecycle

Queryable Encryption adds another layer of security for your most sensitive data, where data remains secure in-transit, at-rest, in memory, in logs, and in backups.
Illustration of lock with applications, data and documents

Strong controls for critical data privacy use cases

Strong technical controls allow customers to meet the strictest data privacy requirements for confidentiality and integrity using standards-based cryptography. Designed by our Advanced Cryptography Research Group with 20 years of experience designing peer-reviewed state-of-the-art encrypted search algorithms.
Illustration of code brackets with lock and keys

Faster application development

MongoDB has taken the complexity out of developing applications for sensitive workloads. There is no need to write special client-side query handling or be an expert in cryptography to deliver the highest levels of security with optimized performance.

Feature overview
general_security_encryption
Fully randomized encryption
Secure your data and eliminate data leakage
mdb_querying_encrypted_data
Expressive queries on encrypted data
Next-generation rich query capabilities on fully randomized encrypted data
general_security_secure_by_default
Client-side encryption
Data is never in cleartext — not in-transit, at-rest, in memory, in logs, or in backups
general_security_privacy
Customer-managed encryption keys
You have full control of your data encryption keys; MongoDB never has access to those keys
general_security_default
Industry standard cryptography primitives
Based on strong, well-vetted, standards-based cryptographic primitives like AES-256, HMAC, SHA2
realm_data_access_control
Field-level encryption
Control which parts of your data need to be encrypted, down to the field level

Resources
mdb_querying_encrypted_data
Introducing Queryable Encryption
Details on Queryable Encryption technology and advantages
Read the blog

Queryable Encryption FAQ

Help your organization with strong technical controls. Need more information?
Contact Us
How does Queryable Encryption work?
Queryable Encryption is designed to encrypt data from the client-side, store it as fully randomized encrypted data on the server, and allows users to run expressive queries on the encrypted data.

Queryable Encryption encrypts sensitive data from the client-side and it remains encrypted during transport, while at rest in the database, and while being processed in memory.

Queryable Encryption introduces a fast searchable cryptographic scheme that uses NIST standards-based primitives. These are well-tested and established public standards to ensure confidentiality and integrity of data. This is designed to perform queries on fully randomized encrypted data.
For more details refer to the documentation
How do I use the preview release of Queryable Encryption and whom to contact if I have more questions?
Preview release gives you the functionality as per the feature documentation for Queryable Encryption. Since it's a preview release it is not recommended to be used in production environments as breaking changes may be introduced during the preview period. This is meant to be used for evaluation in test and development environments.

If you have any further questions, please reach out to your assigned account manager or contact sales.
How does Queryable Encryption differ from Client-side Field Level Encryption?
Queryable Encryption uses Structured Encryption to add additional encrypted data structures on the server side, enabling the processing of expressive queries on fully randomized encrypted data. Since the database does the query processing, there’s no need to bring extra results back to the client or write extra application code for client-side query handling.

Client-side field level encryption provides related functionality, in that it encrypts data on the client side before inserting it into the database. Querying, however, is limited. Only equality queries are supported, and deterministic encryption must be used for equality queries to work.
For more information, refer to our documentation
What query types are supported?
The Queryable Encryption Preview supports equality queries on fully randomized encrypted data.

Future releases will add support for range, prefix, suffix, and substring query types.
What drivers are supported and where can developers download them?
Refer to the documentation for current driver support.
How does Queryable Encryption help with minimizing the attack surface?
First, data is encrypted on the client-side, and is never resident in the database in cleartext. This means that even privileged attackers — e.g., employees with database access — will only be able to access the ciphertext in the database, as long as they don’t have encryption key access.

Second, queryable encryption uses fully randomized encryption to secure data. This means the same plaintext encrypts to a different ciphertext every time the data is encrypted. This makes it difficult for an adversary to learn patterns and infer values, hence minimizing the attack surface for adversaries to exploit.
For more information, refer to our documentation
What versions of MongoDB support Queryable Encryption?

As long as you are running MongoDB 6.0 and above with supported drivers, you can use Queryable Encryption:

  • In MongoDB Atlas on AWS, Azure, and Google Cloud
  • Or on infrastructure you run yourself with MongoDB Enterprise or MongoDB Community Edition

  • One difference is when you choose to use Queryable Encryption, is that MongoDB Atlas and MongoDB Enterprise version support automatic encryption of fields in read and write operations, while the community version requires the explicit encryption of fields in application code. The core cryptography libraries themselves are identical.

    At what levels can I encrypt data?
    Queryable encryption is highly flexible. You can selectively encrypt individual fields within a document, a subdocument, or the entire document. Each field is secured with its own key and is decrypted seamlessly on the client.

    Get started with Queryable Encryption today

    Take the complexity out of developing applications with sensitive workloads.
    Try Preview
    PROTECT YOUR SENSITIVE WORKLOADS:
    • Randomized encrypted data
    • Expressive queries
    • Faster development
    • Strong technical controls
    • Reduce institutional risk
    • Data Privacy mandates