MongoDB Data Encryption

MongoDB offers robust encryption features to protect data while in transit, at rest, and in use—safeguarding data through its full lifecycle.

Get Started

MongoDB Security Hub

MongoDB 8.0

With 36% higher throughput, easier horizontal scaling, and expanded queryable encryption, MongoDB is faster and more secure than ever.

Learn More

Resources

FAQ

How do I get more information to help my organization with strong technical controls?

How does in-use encryption compare with in-transit and at rest encryption?

In-use Encryption is best applied selectively to those fields of your documents that you classify as containing the most sensitive data, such as PII or PHI.

Using Client-Side Field-Level Encryption data encryption alongside in-transit and at-rest encryption provides data encryption throughout its lifecycle, using complementary approaches that provide a defense-in-depth security posture to address different threat models.

In-transit encryption protects all data traversing the network but does not encrypt data in use or at rest.
At-rest encryption protects all stored data but does not encrypt data in use or in transit.
With in-use encryption, your most sensitive data never leaves your application in plaintext. Fields that are encrypted on the client side cannot be decrypted by the server and remain encrypted in transit, at rest, and in use even as queries are being processed.

Learn more

Do the customer provided encryption keys used for Atlas at rest encryption need to be stored in the same cloud provider as the data is?

Your encryption keys can be stored in any cloud provider of your choosing and do not need to be in the same cloud provider as your data. For example, you can store your data in Azure but have your encryption keys in AWS KMS, or have your data in AWS but your keys in GCP Cloud KMS. This approach applies both to at-rest encryption and in-use encryption capabilities.

Can I use cloud-provider KMS for Encryption at rest with MongoDB Enterprise?

MongoDB Enterprise supports KMIP-enabled key providers for encryption at rest. Cloud-provided KMS (Key Management Systems) is not supported.

For more details refer to the documentation

How does Queryable Encryption differ from Client-Side Field-Level Encryption?

Queryable Encryption uses a fast encrypted search algorithm to add additional encrypted data structures on the server side, enabling the processing of equality and range queries on encrypted data. Since the database does the query processing, there’s no need to bring extra results back to the client or write additional application code for client-side query handling.

Client-Side Field-Level Encryption provides related functionality, in that it encrypts data on the client side before inserting it into the database. Querying is limited to equality queries and deterministic encryption must be used for equality.

For more information, refer to our documentation

What query types are supported with Queryable Encryption?

Queryable Encryption supports equality and range queries on encrypted data as of the 8.0 release.

Future releases will support prefix, suffix, and substring query types.