The document describes how client-side encryption works in MongoDB. It explains that the client encrypts data before sending it to MongoDB using encrypted data keys stored in a key vault collection. It also covers how JSON schemas can specify encryption rules for fields using properties like keyId, algorithm, and bsonType. The schemas help ensure data is encrypted as intended before being inserted or updated.
8. Client Side Encryption
Encrypt before sending. Decrypt after receiving.
db.coll.insert({
name: "Todd",
ssn: "457-55-5462"
})
{
insert: "coll",
documents: [{
name: "Todd",
ssn: BinData("a10x…", "06")
}]
}
You see: MongoDB sees:
9. Client Side Encryption
How does this differ from…?
•… encryption in-transit (TLS)
•… encryption at-rest (encrypted storage engine)
10. Client Disk
{ ssn: "457-55-5462" } { ssn: "457-55-5462" }
Attacker
Steal disk
Listen to traffic
MongoDB
send over socket
insert: { ssn: "457-55-5462" }
{ ok: 1 }
Malicious admin
db.coll.find()
11. Client Disk
send over socket:
insert: { ssn: "457-55-5462" }
write to disk
{ ssn: "457-55-5462" }
MongoDB
Boundary of unencrypted data
12. Client Disk
send over socket:
insert: { ssn: "457-55-5462" }
write to disk
<ciphertext>
MongoDB
Boundary of unencrypted data
Enabling encrypted storage engine
13. Client Disk
send over socket:
<ciphertext>
write to disk
<ciphertext>
MongoDB
Encrypted storage engine
+
TLS
14. Client Disk
send over socket:
insert: { ssn: <ciphertext> }
write to disk
{ ssn: <ciphertext> }
MongoDB
Client Side Encryption
17. But why?
Store private stuff in public storage.
Storage Unit
Store private data in the public cloud.
Key to Unit
Held by you and
management
Police
Comes with a warrant
42. encrypt: {
keyId: <UUID[]> or <string>,
algorithm: <string>
bsonType: <string> or <string[]>
}
bsonType indicates the type of underlying data.
E.g. "string" or [ "string", "objectId" ]
algorithm indicates how to encrypt.
"AEAD_AES_256_CBC_HMAC_SHA_512-Random" or
AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
keyId indicates the key used to encrypt.
UUID("E0A8…") or "/fieldName"
46. bsonType
Only one type may be specified. Additional types are excluded:. "bool", "double",
"decimal128", "object", "array", "javascriptWithScope"
DETERMINISTIC restrictions
Single value types (undefined, null, minkey, maxkey) are prohibited.
Restrictions