Navigation

Encrypt a Realm

Overview

You can encrypt the realm database file on disk with AES-256 + SHA-2 by supplying a 64-byte encryption key when opening a realm.

Realm transparently encrypts and decrypts data with standard AES-256 encryption using the first 256 bits of the given 512-bit encryption key. Realm uses the other 256 bits of the 512-bit encryption key to validate integrity using a hash-based message authentication code (HMAC).

Considerations

Storing & Reusing Keys

You must pass the same encryption key when opening the encrypted realm again. Apps should securely store the encryption key, typically in the target platform’s secure key/value pair storage. You can use Xamarin Secure Storage to simplify the access to underlying storage. Ultimately, it is the developer’s responsibility to ensure that attackers cannot easily extract the key.

Performance Impact

Typically, reads and writes on encrypted realms can be up to 10% slower than on unencrypted realms.

Encryption and Realm Sync

You can encrypt a synced realm. MongoDB Realm only encrypts the data on the device and stores the data unencrypted in your MongoDB Atlas data source. The transfer between client server is fully encrypted.

Example

The following code demonstrates how to generate an encryption key and open an encrypted realm:

// Check if we already have a key stored in the platform's secure storage.
// If we don't, generate a new one:
var encryptionKey = new byte[64];
using var rng = new RNGCryptoServiceProvider();
rng.GetBytes(encryptionKey);

// Store the key securely to be used next time we want to open the Realm.

// Create configuration.
var config = new RealmConfiguration
{
    EncryptionKey = encryptionKey
};

// Open or create a realm with the encryption key.
var realm = Realm.GetInstance(config);