Enabling Queryable Encryption when Creating Collections
Overview
Enable Queryable Encryption at collection creation. You can't encrypt fields on documents that are already in a collection.
Important
Explicitly create your collection, rather than creating it implicitly
with an insert operation. When you create a collection using
createCollection()
, MongoDB creates an index on the encrypted
fields. Without this index, queries on encrypted fields may run
slowly.
Enable Queryable Encryption on a Collection
You can enable Queryable Encryption on fields in one of two ways. The following examples use Node.js to enable Queryable Encryption:
Pass the encryption schema, represented by the
encryptedFieldsObject
constant, to the client that the application uses to create the collection:const client = new MongoClient(uri, { autoEncryption: { keyVaultNameSpace: "<your keyvault namespace>", kmsProviders: "<your kms provider>", extraOptions: { cryptSharedLibPath: "<path to Automatic Encryption Shared Library>" }, encryptedFieldsMap: { "<databaseName.collectionName>": { encryptedFieldsObject } } } ... await client.db("<database name>").createEncryptedCollection("<collection name>"); } For more information on
autoEncryption
configuration options, see the section on MongoClient Options for Queryable Encryption.Pass the encryption schema
encryptedFieldsObject
tocreateEncryptedCollection()
:await encryptedDB.createEncryptedCollection("<collection name>", { encryptedFields: encryptedFieldsObject }); Tip
Specify the
encryptedFieldsObject
when you create the collection, and also when you create a client to access the collection. For more information about the security considerations of not defining theencryptedFieldsObject
, see Security Considerations.