Encryption - .NET SDK¶
You can encrypt your realms to ensure that the data stored to disk can't be read outside of your application. You encrypt the realm database file on disk with AES-256 + SHA-2 by supplying a 64-byte encryption key when opening the realm.
For details and code examples for implementing Realm encryption, see Encrypt a Realm.
Realm transparently encrypts and decrypts data with standard AES-256 encryption using the first 256 bits of the given 512-bit encryption key. Realm uses the other 256 bits of the 512-bit encryption key to validate integrity using a hash-based message authentication code (HMAC).
There is a small performance hit (typically less than 10% slower) when using encrypted Realms.
Storing & Reusing Keys¶
You must pass the same encryption key when opening the encrypted realm again. Apps should securely store the encryption key, typically in the target platform's secure key/value pair storage. You can use Xamarin Secure Storage to simplify the access to underlying storage. Ultimately, it is the developer's responsibility to ensure that attackers cannot easily extract the key.
Encryption and Realm Sync¶
You can encrypt a synced realm, too. MongoDB Realm only encrypts the data on the device, and stores the data unencrypted in your MongoDB Atlas data source. The transfer between client server is fully encrypted.
If you need unique keys for each user of your application, you can use an OAuth provider (such as Xamarin.Auth), or use one of the Realm Authentication providers and an Authentication Trigger to create a 64-bit key and store that key in a user object.