On this page

New in version 4.2.


Client-Side Field Level Encryption is available as a beta. The contents of this page may change during the beta period.

KeyVault.createKey(keyManagementService, customerMasterKey[, "keyAltName"])

Adds a data key to the key vault associated to the database connection. Client-side field level encryption uses data keys for supporting encryption and decryption of field values.

createKey() has the following syntax:

keyVault = db.getMongo().getKeyVault()

  [ "keyAltName" ]
Parameter Type Description
keyManagementService string

(Required) The Key Managmenet Service (KMS) to use for retrieving the Customer Master Key (CMK).

Specify aws for Amazon Web Service KMS.

Specify local for a local single-key KMS.

If the database connection was not configured with the specified KMS, data key creation fails.

customerMasterKey string

The identifier for the CMK to use for encrypting the data key.

  • For, specify the full Amazon Resource Name (ARN) of the master key. createKey() retrieves the specified CMK from the AWS KMS and uses it to encrypt the data key.

    If the CMK does not exist, or if the KMS configuration does not provide access to that CMK, createKey() returns an error.

  • For keyManagementService.local, specify a string key. createKey() uses the specified key and the local master key to encrypt the data key.

keyAltName array of strings


The alternative name for the data key. Use keyAltName to improve findability of a specific data key, or as an analog to a comment.

keyAltName must be unique. getKeyVault creates a unique index on keyAltName to enforce uniqueness of keyAltName.

returns:A WriteResult object.


Requires Configuring Client-Side Field Level Encryption on Database Connection

The mongo client-side field level encrytion methods require a database connection with client-side field level encryption enabled. If the current database connection was not initiated with client-side field level encryption enabled, either:

  • Use the Mongo() constructor from the mongo shell to establish a connection with the required client-side field level encryption options. The Mongo() method supports both Amazon Web Services and Local Key Management Service (KMS) providers for Customer Master Key (CMK) management.


  • Use the mongo shell command line options to establish a connection with the required options. The command line options only support the AWS KMS provider for CMK management.



To mitigate the risk of the AWS Access Key or AWS Secret Key leaking into logs, consider specifying an environment variable containing the required values as part of the mongo startup. For example, the following operation loads the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables into local variables in the mongo shell:

mongo --eval "
  " \

Use the created AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY variables in the shell to reference the AWS credentials.

The following operation issued from the mongo shell:

  • Establishes a connection to the cluster with client-side field level encryption enabled.
  • Retrieves the key vault object using the encryption-enabled connection object.
  • Creates a new client-side field level encryption data key and stores that key in the key vault.
clientSideFLEOptions = {
  "keyVaultNamespace" : "encryption.dataKeys",
  "kmsProviders" : {
    "aws" : {
      "accessKeyId" : "AWS_ACCESS_KEY_ID",
      "secretAccessKey" : "AWS_SECRET_ACCESS_KEY"

encryptedClient = Mongo(

keyVault = encryptedClient.getKeyVault();

keyVault.createKey("aws", "arn:aws:kms:us-east-1:test:test:test", [ "ssn-encryption-key" ])

If successfull, createKey() returns a WriteResult. To retrieve the created key: