/ /

Client-Side Field Level Encryption

Docs Home

Development

In-Use Encryption

Client-Side Field Level Encryption

Docs Home

Development

In-Use Encryption

Client-Side Field Level Encryption

CSFLE Compatibility

MongoDB's Queryable Encryption feature is available (GA) in MongoDB 7.0 and later. To learn more about Queryable Encryption and compare its benefits with Client-Side Field Level Encryption, see Queryable Encryption.

This page describes the MongoDB and driver versions with which Client-Side Field Level Encryption is compatible.

➤ Use the Select your language drop-down menu to select your driver and see its compatibility with Client-Side Field Level Encryption.

MongoDB Edition and Version Compatibility

Automatic encryption with Client-Side Field Level Encryption is only available with MongoDB Enterprise Edition, version 4.2 or later.

Explicit encryption with Client-Side Field Level Encryption is available with MongoDB Community and Enterprise Edition, version 4.2 or later.

Driver Compatibility

To use Client-Side Field Level Encryption and the Key Rotation API with the C driver, install driver version 1.17.5 or later.

To use Client-Side Field Level Encryption and the Key Rotation API with the C++ driver, install driver version 3.6.0 or later.

To use Client-Side Field Level Encryption with the .NET/C# driver, install driver version 2.10.0 or later. To use the Key Rotation API, install driver version 2.17.1 or later.

If you're using driver version 3.0 or later, you must also complete the following steps:

Install the MongoDB.Driver.Encryption package from NuGet. This package enables automatic encryption.
If your application runs on Linux, install libmongocrypt manually. Then, set the LIBMONGOCRYPT_PATH environment variable to the absolute path of the libmongocrypt file.
If your application runs on 64-bit Linux, and you're using driver version 3.4.3 or earlier, add the following lines of XML to your .csproj file. Change the value of the <MongoDriverEncryptionVersion> element to match the version of the MongoDB.Driver.Encryption package that you have installed.

<PropertyGroup>
    <!-- replace the version here with your package version -->
    <MongoDriverEncryptionVersion>3.4.2</MongoDriverEncryptionVersion>
    <MongoDriverEncryptionPath>$(NuGetPackageRoot)mongodb.driver.encryption\$(MongoDriverEncryptionVersion)</MongoDriverEncryptionPath>
</PropertyGroup>
<PropertyGroup>
    <!-- Suppresses the duplicate file error -->
    <ErrorOnDuplicatePublishOutputFiles>false</ErrorOnDuplicatePublishOutputFiles>
</PropertyGroup>
<!-- Ensures the correct library after build or publish -->
<Target Name="EnsureCorrectMongoEncryption" AfterTargets="Build;Publish" Condition="'$(RuntimeIdentifier)' != ''">
    <!-- Determine paths based on current operation -->
    <PropertyGroup>
        <_TargetDir Condition="Exists('$(PublishDir)')">$(PublishDir)</_TargetDir>
        <_TargetDir Condition="'$(_TargetDir)' == ''">$(OutputPath)</_TargetDir>
    </PropertyGroup>
    <!-- Copy the correct library based on runtime identifier (RID) -->
    <ItemGroup>
        <_CorrectMongoLib Include="$(MongoDriverEncryptionPath)/runtimes/linux/native/x64/libmongocrypt.so"
                          Condition="'$(RuntimeIdentifier)' == 'linux-x64'" />
        <_CorrectMongoLib Include="$(MongoDriverEncryptionPath)/runtimes/linux/native/arm64/libmongocrypt.so"
                          Condition="'$(RuntimeIdentifier)' == 'linux-arm64'" />
        <_CorrectMongoLib Include="$(MongoDriverEncryptionPath)/runtimes/linux/native/alpine/libmongocrypt.so"
                          Condition="'$(RuntimeIdentifier)' == 'linux-musl-arm64'" />
    </ItemGroup>
    <!-- Copy with overwrite -->
    <Copy SourceFiles="@(_CorrectMongoLib)"
          DestinationFolder="$(_TargetDir)"
          Condition="'@(_CorrectMongoLib)' != ''"
          OverwriteReadOnlyFiles="true" />
    <Message Text="Fixed MongoDB encryption library for $(RuntimeIdentifier)"
             Condition="'@(_CorrectMongoLib)' != ''" />
</Target>

To use Client-Side Field Level Encryption with the Go driver, install driver version 1.2 or later. To use the Key Rotation API, install libmongocrypt version 1.5.2 or later.

To use Client-Side Field Level Encryption with the Java Sync or Java Reactive Streams driver, install driver version 3.10.0 or later. To use the Key Rotation API, install mongodb-crypt version 1.7.3 or later.

To use Client-Side Field Level Encryption with the Java Reactive Streams driver, install driver version 1.12.0 or later. To use the Key Rotation API, install mongodb-crypt version 1.7.3 or later.

To use Client-Side Field Level Encryption with the Node.js driver, install driver version 3.4.0 or later. To use the Key Rotation API, install mongodb-client-encryption version 2.2.0 - 2.x.

If you're using version 6.0 or later of the Node.js driver, you must also use version 6.0 or later of mongodb-client-encryption.

To use Client-Side Field Level Encryption and the Key Rotation API with the PHP driver, install driver version 1.6.0 or later.

To use Client-Side Field Level Encryption with PyMongo, install driver version 3.10.0 or later. To use the Key Rotation API, install pymongocrypt version 1.3.1 or later.

To use Client-Side Field Level Encryption and the Key Rotation API with the Ruby driver, install driver version 2.12.1 or later.

To use Client-Side Field Level Encryption with the Rust driver, install driver version 2.4.0 or later. To use the Key Rotation API, install libmongocrypt version 1.8.0 or later.

To use Client-Side Field Level Encryption and the Key Rotation API with the Scala driver, install driver version 2.7.0 or later.

To learn more about the Key Rotation API, see Rotate and Rewrap Encryption Keys.

Back

Use KMIP

CSFLE Limitations