|
| 1 | +================= |
| 2 | +In-Use Encryption |
| 3 | +================= |
| 4 | + |
| 5 | +.. contents:: On this page |
| 6 | + :local: |
| 7 | + :backlinks: none |
| 8 | + :depth: 2 |
| 9 | + :class: singlecol |
| 10 | + |
| 11 | +Overview |
| 12 | +-------- |
| 13 | + |
| 14 | +You can use the {+driver-short+} to encrypt specific document fields by using a |
| 15 | +set of features called **in-use encryption**. In-use encryption allows |
| 16 | +your application to encrypt data *before* sending it to MongoDB |
| 17 | +and query documents with encrypted fields. |
| 18 | + |
| 19 | +In-use encryption prevents unauthorized users from viewing plaintext |
| 20 | +data as it is sent to MongoDB or while it is in an encrypted database. To |
| 21 | +enable in-use encryption in an application and authorize it to decrypt |
| 22 | +data, you must create encryption keys that only your application can |
| 23 | +access. Only applications that have access to your encryption |
| 24 | +keys can access the decrypted, plaintext data. If an attacker gains |
| 25 | +access to the database, they can only see the encrypted ciphertext data |
| 26 | +because they lack access to the encryption keys. |
| 27 | + |
| 28 | +You might use in-use encryption to encrypt fields in your MongoDB |
| 29 | +documents that contain the following types of sensitive data: |
| 30 | + |
| 31 | +- Credit card numbers |
| 32 | +- Addresses |
| 33 | +- Health information |
| 34 | +- Financial information |
| 35 | +- Any other sensitive or personally identifiable information (PII) |
| 36 | + |
| 37 | +MongoDB offers the following features to enable in-use encryption: |
| 38 | + |
| 39 | +- :ref:`Queryable Encryption <subsection-qe>` |
| 40 | +- :ref:`Client-side Field Level Encryption <subsection-csfle>` |
| 41 | + |
| 42 | +.. _subsection-qe: |
| 43 | + |
| 44 | +Queryable Encryption |
| 45 | +~~~~~~~~~~~~~~~~~~~~ |
| 46 | + |
| 47 | +Queryable Encryption is the next-generation in-use encryption feature, |
| 48 | +first introduced as a preview feature in MongoDB Server version 6.0 and |
| 49 | +as a generally available (GA) feature in MongoDB 7.0. Queryable |
| 50 | +Encryption supports searching encrypted fields for equality and encrypts |
| 51 | +each value uniquely. |
| 52 | + |
| 53 | +.. important:: Preview Feature Incompatible with MongoDB 7.0 |
| 54 | + |
| 55 | + The implementation of Queryable Encryption in MongoDB 6.0 is incompatible with the GA version introduced in MongoDB 7.0. The Queryable Encryption preview feature is no longer supported. |
| 56 | + |
| 57 | +To learn more about Queryable Encryption, see :manual:`Queryable |
| 58 | +Encryption </core/queryable-encryption/>` in the Server manual. |
| 59 | + |
| 60 | +.. _subsection-csfle: |
| 61 | + |
| 62 | +Client-side Field Level Encryption |
| 63 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 64 | + |
| 65 | +Client-side Field Level Encryption (CSFLE) was introduced in MongoDB |
| 66 | +Server version 4.2 and supports searching encrypted fields for equality. |
| 67 | +CSFLE differs from Queryable Encryption in that you can select either a |
| 68 | +deterministic or random encryption algorithm to encrypt fields. You can only |
| 69 | +query encrypted fields that use a deterministic encryption algorithm when |
| 70 | +using CSFLE. When you use a random encryption algorithm to encrypt |
| 71 | +fields in CSFLE, they can be decrypted, but you cannot perform equality |
| 72 | +queries on those fields. When you use Queryable Encryption, you cannot |
| 73 | +specify the encryption algorithm, but you can query all encrypted |
| 74 | +fields. |
| 75 | + |
| 76 | +When you deterministically encrypt a value, the same input value |
| 77 | +produces the same output value. While deterministic encryption allows |
| 78 | +you to perform queries on those encrypted fields, encrypted data with |
| 79 | +low cardinality is susceptible to code breaking by frequency analysis. |
| 80 | + |
| 81 | +.. tip:: |
| 82 | + |
| 83 | + To learn more about these concepts, see the following Wikipedia |
| 84 | + entries: |
| 85 | + |
| 86 | + - :wikipedia:`Cardinality <w/index.php?title=Cardinality_(data_modeling)&oldid=1182661589>` |
| 87 | + - :wikipedia:`Frequency Analysis <w/index.php?title=Frequency_analysis&oldid=1182536787>` |
| 88 | + |
| 89 | +To learn more about CSFLE, see :manual:`CSFLE </core/csfle/>` in the |
| 90 | +Server manual. |
0 commit comments