- Tutorials >
- Client-Side Encryption
Client-Side Encryption
On this page
Client-Side Field Level Encryption allows administrators and developers to encrypt specific data fields in addition to other MongoDB encryption features.
Automatic Encryption and Decryption
Note
Auto encryption is an enterprise only feature.
The following example uses a local key, however using AWS Key Management Service
is also an option. The data in the encryptedField
field is automatically
encrypted on insertion and decrypted when querying on the client side.
Specifying an Explicit Schema for Encryption
The following example shows how to create a new key and store it in the key vault collection. The encrypted client configures an explicit schema for encryption using the newly created key.
Note
Supplying a schemaMap
provides more security than relying on JSON schemas
obtained from the server. It protects against a malicious server advertising
a false JSON schema, which could trick the client into sending unencrypted
data that should be encrypted.
Manually Encrypting and Decrypting Values
In the MongoDB Community Edition, you will have to manually encrypt and decrypt values before storing them in the database. The following example assumes that you have already created an encryption key in the key vault collection and explicitly encrypts and decrypts values in the document.
Referencing Encryption Keys by an Alternative Name
While it is possible to create an encryption key every time data is encrypted, this is not the recommended approach. Instead, you should create your encryption keys depending on your use-case, e.g. by creating a user-specific encryption key. To reference keys in your software, you can use the keyAltName attribute specified when creating the key. The following example creates an encryption key with an alternative name, which could be done when deploying the application. The software then encrypts data by referencing the key by its alternative name.