Enterprise Feature

The automatic feature of field level encryption is only available in MongoDB Enterprise 4.2 or later, and MongoDB Atlas 4.2 or later clusters.

mongocryptd is required for automatic field level encryption and is included as a component in the MongoDB Enterprise Server package, or separately as the mongodb-enterprise-cryptd package. mongocryptd performs the following:

  • Parses the automatic encryption rules specified to the database connection. Automatic encryption rules use a strict subset of JSON schema syntax. If the automatic encryption rules contains invalid automatic encryption syntax or any document validation syntax, mongocryptd returns an error.
  • Uses the specified automatic encryption rules to mark fields in read and write operations for encryption.
  • Reject read/write operations that may return unexpected or incorrect results when applied to an encrypted field. See Read/Write Support with Automatic Field Level Encryption for more information.

mongocryptd is only responsible for the above functions, and does not perform any of the following:

  • mongocryptd does not perform encryption or decryption itself
  • mongocryptd does not access any encryption key material
  • mongocryptd does not listen over the network

Drivers compatible with MongoDB 4.2 and later use the Apache-licensed libmongocrypt library for performing client-side field level encryption and automatic decryption.

The official MongoDB 4.2+ compatible drivers and the 4.2 or later mongo shell require access to the mongocryptd process on the client host machine. The 4.2+ compatible drivers and 4.2 or later mongo shell search for the mongocryptd process in the system PATH by default. See Installation for the complete documentation on installing mongocryptd.

If the 4.2+ compatible driver has access to the mongocryptd process, by default the driver manages the spawning of the mongocryptd process. The 4.2+ compatible drivers may have additional options for specifying the path to or the spawning behavior of the mongocryptd process.

If possible, we recommend that mongocryptd be started on boot, rather than launched on demand.

For supported Linux Operating Systems, follow the documented installation instructions and install the mongodb-enterprise server package. Alternatively, specify mongodb-enterprise-cryptd instead to install only the mongocryptd binary. The package manager installs the binaries to a location in the system PATH (e.g. /usr/bin/)

For OSX, install the Server package. The package manager installs binaries to a location in the system PATH.

For Windows, install the Server package. You must add the mongocryptd package to your system PATH after installation. Defer to documented best practices for your Windows installation for instructions on adding the mongocryptd binary to the system PATH.

For installations via an official tarball or ZIP archive, follow the documented best practices for your operating system to add the mongocryptd binary to your system PATH.

Give Feedback