mongocryptd
mongocryptd
Tip
Use the Automatic Encryption Shared Library
If you are starting a new project, use the crypt_shared
encryption helper,
referred to as the Automatic Encryption Shared Library. The Automatic Encryption Shared Library
replaces mongocryptd
and does not require spawning a new process.
Note
Enterprise Feature
The automatic feature of field level encryption is only available in MongoDB Enterprise 4.2 or later, and MongoDB Atlas 4.2 or later clusters.
mongocryptd
is included as a component in
the MongoDB Enterprise Server package, or separately as the
mongodb-enterprise-cryptd
package. mongocryptd
performs
the following:
Parses the automatic encryption rules specified to the database connection. Automatic encryption rules use a strict subset of JSON schema syntax. If the automatic encryption rules contains invalid automatic encryption syntax or any
document validation
syntax,mongocryptd
returns an error.Uses the specified automatic encryption rules to mark fields in read and write operations for encryption.
Reject read/write operations that may return unexpected or incorrect results when applied to an encrypted field. See Read/Write Support with Automatic Field Level Encryption for more information.
mongocryptd
is only responsible for the above functions, and does
not perform any of the following:
mongocryptd
does not perform encryption or decryption itselfmongocryptd
does not access any encryption key materialmongocryptd
does not listen over the network
Drivers compatible with MongoDB 4.2 and later use the Apache-licensed libmongocrypt library for performing client-side field level encryption and automatic decryption.
The official MongoDB 4.2+ compatible drivers, mongosh
,
and the 4.2 or later legacy mongo
shell require access to
the mongocryptd
process on the client host machine. These clients
search for the mongocryptd
process in the system PATH by default.
See Installation for the complete documentation on
installing mongocryptd
.
Usage
If the 4.2+ compatible driver has access to the mongocryptd
process,
by default the driver manages the spawning of the mongocryptd
process. The 4.2+ compatible drivers may have additional options for
specifying the path to or the spawning behavior of the mongocryptd
process.
If possible, we recommend that mongocryptd
be started on boot,
rather than launched on demand.
Installation
For supported Linux Operating Systems, follow the documented
installation instructions and install the mongodb-enterprise
server
package. Alternatively, specify mongodb-enterprise-cryptd
instead to
install only the mongocryptd
binary. The package manager installs
the binaries to a location in the system PATH (e.g. /usr/bin/
)
For OSX, install the Server package. The package manager installs binaries to a location in the system PATH.
For Windows, install the
Server package.
You must add the mongocryptd
package to your system PATH after
installation. Defer to documented best practices for your Windows
installation for instructions on adding the mongocryptd
binary to
the system PATH.
For installations via an official tarball or ZIP archive,
follow the documented best practices for your operating system to add
the mongocryptd
binary to your system PATH.