The document presents an overview of queryable encryption in MongoDB, highlighting its significance for data security and confidentiality. It distinguishes between various encryption mechanisms, including client-side field-level encryption (CSFLE) and queryable encryption, detailing their processes and applications. The framework also emphasizes key management systems and limitations associated with queryable encryption in MongoDB.

1. Queryable Encryption in MongoDB
Presented by
Ranjith,
Database Reliability Engineer, Mydbops
Mydbops MyWebinar Edition 29
Nov 25th, 2023

2. About Me
Ranjith
❏ Interested in MongoDB Internals
❏ Performance Troubleshooting
❏ Blogger

3. Mydbops Services
Focus on MySQL, MongoDB, PostgreSQL, TiDB, Cassandra
Consulting
Services
Consulting
Services
Managed
Services
24*7
DBA Team
Targeted
Engagement

4. ❏ Introduction
❏ Enhanced Security in MongoDB
❏ CSFLE (Client-Side-Field-Level-Encryption)
❏ Queryable Encryption
❏ Queryable Encryption Types
❏ Limitations
Agenda

5. ❏ MongoDB Encryption: Ensures robust security, protecting data from unauthorized access.
❏ Confidentiality & Integrity: Maintains data confidentiality and integrity.
❏ Flexible Methods: Offers diverse encryption options, including CSFLE and Queryable Encryption.
Introduction

6. Enhanced Security in MongoDB

7. Life Cycle

8. Two types of Encryption Mechanisms:
❏ Automatic Encryption: Enables encrypted read and write operations without explicit code
(MongoDB Enterprise & MongoDB Atlas).
❏ Explicit Encryption: Empowers encrypted operations using the MongoDB driver's encryption
library, applicable across all formats.
CSFLE (Client-Side-Field-Level-Encryption)

9. ❏ Data Encryption Keys (DEKs)
❏ Key Vault Collections
❏ Key Management System (KMS)
❏ libmongocrypt
Important Key Components of CSFLE Encryption

10. ❏ Query Initiation
❏ Encrypted Fields Analysis
❏ DEK Retrieval
❏ DEK Decryption
❏ Data Retrieval
❏ Data Decryption
How CSFLE Works?

11. Next Up: Queryable Encryption

12. ❏ Queryable Encryption use random encryption whereas CSFLE use deterministic encryption
❏ In deterministic encryption, the same plaintext value is always encrypted to the same ciphertext.
❏ Queryable Encryption produces different ciphertexts for the same plaintext each time it is
encrypted.
❏ It prevents attackers from easily identifying patterns based on frequency.
CSFLS vs Queryable Encryption

13. ❏ Encrypts During Transmission: Queryable Encryption secures data in transit with randomized
encryption, allowing queries.
❏ Client ensures data is always transmitted in encrypted form, automatically encrypting and
decrypting sensitive information.
MongoDB Supports Two Types:
❏ Implicit Queryable Encryption - Available on MongoDB Enterprise & MongoDB ATLAS
❏ Explicit Queryable Encryption - Available on MongoDB Enterprise & MongoDB ATLAS & MongoDB
Community
Queryable Encryption

14. ❏ Data Encryption Keys (DEKs)
❏ Key Vault Collections
❏ Cryptographic Tokens
❏ Cryptographic Tags
❏ Key Management System (KMS)
Important Key components of Queryable Encryption

15. ❏ DEK Function: The Data Encryption Key (DEK) encrypts fields in MongoDB documents.
❏ Secure Storage: DEK is securely stored in a MongoDB collection known as the keyVault collection.
Key Vault Collections
❏ DEK Storage: MongoDB's Key Vault collection stores encrypted Data Encryption Key (DEK) documents.
❏ Document Composition: DEK documents within the Key Vault collection are BSON documents that
encapsulate Data Encryption Keys (DEKs).
Data Encryption Keys (DEK’s)

16. ❏ Tokenized Encryption: Cryptographic tokens represent encrypted data, allowing
querying without decryption.
❏ Queryable Encryption Process: Upon data insertion with queryable encryption,
designated fields are encrypted and stored as cryptographic tokens (Ciphertext) in the
namespace.
Cryptographic Tokens

17. ❏ Metadata for Encryption: Cryptographic tags provide key and algorithm details for encrypted fields.
❏ Query Management: Crucial for MongoDB server in handling encrypted data during queries.
❏ Stored Guidance: Stored alongside data, cryptographic tags enable the server to determine the
appropriate encryption key for querying or decrypting data.
Cryptographic Tags

18. Queryable Encryption is supported by the following Key Management System (KMS) providers:
❏ Amazon Web Services KMS
❏ Azure Key Vault
❏ Google Cloud Platform KMS
❏ Any KMIP Compliant Key Management System
❏ Local Key Provider
Key Management System (KMS)

19. ❏ Explicit encryption is a method wherein you explicitly define the encryption and decryption processes
for fields in your document during each operation conducted on your database.
❏ Explicit encryption is available and supported in the following MongoDB products:
MongoDB Community Server
MongoDB Enterprise Advanced
MongoDB Atlas
Explicit Queryable Encryption

20. How Write Operations works in Explicit Queryable Encryption?

21. ❏ Application submits query.
❏ MongoDB drivers analyze query.
❏ DEKs (unique to specific fields) use AES-CBC-256 encryption.
❏ Each DEK is unique and associated with a specific field in the document.
AES - Advanced Encryption Standard
CBC-256 - 256 bit Cipher Block Chaining
❏ AES-CBC-256 creates cryptographic token with tags.
How Write Operations works in Explicit Queryable Encryption?

22. ❏ Cryptographic token encrypts data (AES-CBC-256 + IV for uniqueness).
❏ DEKs are safeguarded by encrypting with CMK.
❏ Driver sends query to MongoDB server with encrypted fields as ciphertext.
❏ Encrypted data (Token + Tags) stored in MongoDB server.
How Write Operations works in Queryable Encryption?

23. ❏ Enable Queryable Encryption for a collection.
❏ MongoDB generates two metadata collections in the specified database.
❏ For example, we have enabled the Queryable Encryption for the patients collection MongoDB
will generate the metedata collections like below
enxcol_.patients.ecoc //metadata collection1
enxcol_.patients.esc //metadata collection2
Metadata Collections

24. The .ecoc collection functions as a repository for encryption context information, encompassing
cryptographic tokens, cryptographic tags, and associated metadata.
❏ Cryptographic Tokens: Encrypted representations of specific field values.
❏ Cryptographic Tags: Metadata linked to encrypted fields for decryption.
❏ Context Information: Details on DEK associations for each cryptographic token.
❏ Cache Optimization: Collection acts as a cache, enhancing query performance.
❏ Size Management: Compaction command needed if metadata collection exceeds 1 GB.
❏ Temporary Storage: .ecoc serves as temporary storage for cryptographic metadata essential in
query processing.
enxcol_.patients.ecoc //metadata collection1

25. ❏ DEK Details: Intricate info on Data Encryption Keys (DEKs) with unique identifiers and metadata.
❏ Key Management: Specifies the Customer Master Key (CMK) for DEK protection.
❏ Algorithms: Stores comprehensive details on encryption algorithms and parameters.
❏ Key Rotation: Insights into policies and schedules for managing key rotation.
❏ Configuration: Houses essential settings and metadata for the encryption system.
enxcol_.patients.esc //metadata collection2

26. ❏ Internally Managed Collections: MongoDB manages these collections for queryable encryption
operations.
❏ Critical Role: Essential for the efficient processing of queries involving encrypted data.
❏ Enhanced Security: Provide context and metadata for decryption, ensuring sensitive information remains
secure.
❏ Background Operations: Typically not directly accessed or modified by users, functioning behind the
scenes.
❏ Foundational Component: Integral part of MongoDB's queryable encryption infrastructure.
enxcol_.patients.esc //metadata collection2

27. How Read Operation Works in Queryable Encryption?

28. ❏ Query Submission: Application submits a query; MongoDB drivers analyze it.
❏ DEK Encryption: DEKs use AES-CBC-256 to encrypt specific document fields.
❏ Key Protection: DEKs are protected by encrypting them with the CMK.
❏ Query Transmission: Driver sends the query to MongoDB server, representing encrypted fields
as ciphertext.
❏ Cryptographic Tags: MongoDB uses tags to fetch the cryptographic token with encrypted data.
❏ Decryption Process: Driver decrypts query results using its keys.
❏ Client Return: Decrypted data is returned to the client in plaintext.
How Read Operation Works in Queryable Encryption?

29. Explicit Queryable Encryption Demo

30. ❏ Automatic Queryable Encryption
❏ Driver and libmongocrypt Collaboration
❏ Streamlined Approach
❏ Seamless Operations
❏ Ease of Use and Security
❏ Available in MongoDB Enterprise and Atlas
Implicit ( Automatic) Queryable Encryption

31. ❏ Query Initiation
❏ Field Analysis
❏ DEK Retrieval
❏ DEK Decryption
❏ Data Reading
❏ Data Decryption
❏ User Interaction
How Automatic Queryable Encryption Works?

32. Implicit Queryable Encryption Demo

33. ❏ Compatibility Note: Queryable Encryption is incompatible with MongoDB Atlas Search.
❏ Server Limitation: Not applicable for MongoDB standalone servers.
❏ Shard Key Restriction: Encrypted fields cannot be used as shard keys.
❏ Collection Renaming Restriction: Renaming collections with encrypted fields is not allowed.
❏ _id Field Exclusion: Encryption cannot be applied to the _id field.
❏ MongoDB 7.0 support only Equality searches
❏ Encryption collection backup not supported for restoration
For detailed information, you can refer to the
https://www.mongodb.com/docs/manual/core/queryable-encryption/reference/limitations/#std-label
-qe-reference-encryption-limits
Limitations Of Queryable Encryption

34. ➔ MongoDB Implicit Queryable Encryption
https://www.mydbops.com/blog/mongodb-queryable-encryption/
➔ MongoDB Explicit Queryable Encryption
https://www.mydbops.com/blog/mongodb-7-explicit-queryable-encryption/
➔ MongoDB General Queryable Encryption Video
https://www.youtube.com/watch?v=vTM_YlieLBE&t=863s
Queryable Encryption Related Blogs

35. Any Questions?

36. Thank You