Navigation

Encrypt a Realm - Android SDK

You can encrypt the realm database file on disk with AES-256 + SHA-2 by supplying a 64-byte encryption key when opening a realm.

Realm transparently encrypts and decrypts data with standard AES-256 encryption using the first 256 bits of the given 512-bit encryption key. Realm uses the other 256 bits of the 512-bit encryption key to validate integrity using a hash-based message authentication code (HMAC).

You must pass the same encryption key when opening the encrypted realm again. Apps should store the encryption key in the Android KeyStore so that other apps cannot read the key.

Typically, reads and writes on encrypted realms can be up to 10% slower than unencrypted realms.

You can encrypt a synced realm. MongoDB Realm only encrypts the data on the device and stores the data unencrypted in your MongoDB Atlas data source.

The following code demonstrates how to generate an encryption key and open an encrypted realm with the encryptionKey() method:

Warning
This Example Does Not Securely Handle Encryption Keys

This example does not demonstrate best security practices for generating or storing encryption keys. For proper key handling, please consult the Android documentation or third party guides.

// Generate a key
val key = ByteArray(64)
SecureRandom().nextBytes(key)
val config = SyncConfiguration.Builder(app.currentUser(), PARTITION)
.encryptionKey(key)
.build()
// Open the encrypted realm
val realm = Realm.getInstance(config)
Give Feedback