MongoDB uses the Automatic Encryption Shared Library (recommended) or the mongocryptd executable
process to translate queries into encrypted queries, and to encrypt or decrypt data.
Before You Begin
To use CSFLE with automatic encryption, you must first choose the query analysis component you want MongoDB to use to encrypt the fields.
- crypt_shared, the recommended CSFLE library. 
- mongocryptd, which is included in MongoDB Enterprise Server installations. 
The libmongocrypt library and MongoDB drivers require the
Automatic Encryption Shared Library or mongocryptd to interpret encrypted queries. For more
information, see Install libmongocrypt for CSFLE.
Automatic Encryption Shared Library
The Automatic Encryption Shared Library is a dynamic library that enables your client application to perform automatic encryption. A dynamic library is a set of functionality accessed by an application at runtime rather than compile time. The Automatic Encryption Shared Library performs the following tasks:
- Reads the encryption schema to determine which fields to encrypt or decrypt 
- Prevents your application from executing unsupported operations on encrypted fields 
The Automatic Encryption Shared Library does not do any of the following:
- Perform data encryption or decryption 
- Access the encryption key material 
- Listen for data over the network 
The Automatic Encryption Shared Library is a preferred alternative to mongocryptd and does
not require you to spawn another process to perform automatic encryption.
Note
While we recommend using the Automatic Encryption Shared Library, mongocryptd is still supported.
To learn more about automatic encryption, see CSFLE Features.
mongocryptd
mongocryptd is installed with MongoDB Enterprise
Server.
When you create a CSFLE-enabled MongoDB client, the mongocryptd
process starts automatically by default.
The mongocryptd process:
- Uses the specified automatic encryption rules to mark fields in read and write operations for encryption. 
- Prevents unsupported operations from executing on encrypted fields. 
- Parses the encryption schema specified for the database connection. Automatic encryption rules use a strict subset of JSON schema syntax. If the rules contain invalid automatic encryption syntax or any - schema validationsyntax,- mongocryptdreturns an error.
mongocryptd only performs the previous functions, and doesn't
perform any of the following:
- mongocryptddoesn't perform encryption or decryption
- mongocryptddoesn't access any encryption key material
- mongocryptddoesn't listen over the network
To perform field encryption and automatic decryption, the drivers use the Apache-licensed libmongocrypt library.
The official MongoDB drivers require access to the
mongocryptd process on the client host machine. These
clients search for the mongocryptd process in the system
PATH by default.
Steps
Select the query analysis component you want to use and follow the steps to install and configure a CSFLE query analysis component.