Navigation

Appendix

beta

Client-Side Field Level Encryption is available as a beta. The contents of this page may change during the beta period.

mongocryptd

Enterprise Feature

The automatic feature of field level encryption is only available in MongoDB 4.2 Enterprise and MongoDB Atlas 4.2 clusters.

mongocryptd is required for automatic field level encryption and is included as a component in the MongoDB Enterprise Server package. mongocryptd performs the following:

  • Parses the automatic encryption rules specified to the database connection. Automatic encryption rules use a strict subset of JSON schema syntax. If the automatic encryption rules contains invalid automatic encryption syntax or any document validation syntax, mongocryptd returns an error.
  • Uses the specified automatic encryption rules to mark fields in read and write operations for encryption.
  • Reject read/write operations that may return unexpected or incorrect results when applied to an encrypted field. See Read/Write Support with Automatic Field Level Encryption for more information.

mongocryptd is only responsible for supporting automatic client-side field level encryption and does not perform encryption or decryption. MongoDB 4.2-compatible drivers use the Apache-licensed libmongocrypt library for performing client-side field level encryption and automatic decryption.

The official MongoDB 4.2-compatible drivers and the 4.2 mongo shell require access to the mongocryptd process on the client host machine. The 4.2-compatible drivers and 4.2 mongo shell by default search for the mongocryptd process in the system PATH. See Installation for more complete documentation on installing mongocryptd.

If the 4.2-compatible driver has access to the mongocryptd process, by default the driver manages the spawning of the mongocryptd process. The 4.2-compatible drivers may have additional options for specifying the path to or the spawning behavior of the mongocryptd process.

Installation

For supported Linux Operating Systems, follow the documented installation instructions and install the mongodb-enterprise server package. Alternatively, specify mongdb-enterprise-cryptd instead to install only the mongocryptd binary. The package manager installs the binaries to a location in the system PATH (e.g. /usr/bin/)

For OSX, install the Server package. The package manager installs binaries to a location in the system PATH.

For Windows, install the Server package. You must add the mongocryptd package to your system PATH after installation. Defer to documented best practices for your Windows installation for instructions on adding the mongocryptd binary to the system PATH.

For installations via an official tarball or ZIP archive, follow the documented best practices for your operating system to add the mongocryptd binary to your system PATH.