|
| 1 | +.. _ruby-in-use-encryption: |
| 2 | + |
| 3 | +================= |
| 4 | +In-Use Encryption |
| 5 | +================= |
| 6 | + |
| 7 | +.. contents:: On this page |
| 8 | + :local: |
| 9 | + :backlinks: none |
| 10 | + :depth: 1 |
| 11 | + :class: singlecol |
| 12 | + |
| 13 | +.. facet:: |
| 14 | + :name: genre |
| 15 | + :values: reference |
| 16 | + |
| 17 | +.. meta:: |
| 18 | + :keywords: qe, csfle, field level encryption |
| 19 | + |
| 20 | +Overview |
| 21 | +-------- |
| 22 | + |
| 23 | +You can use the {+driver-short+} to encrypt specific document fields by using a |
| 24 | +set of features called **in-use encryption**. In-use encryption allows |
| 25 | +your application to encrypt data *before* sending it to MongoDB |
| 26 | +and query documents with encrypted fields. |
| 27 | + |
| 28 | +In-use encryption prevents unauthorized users from viewing plaintext |
| 29 | +data as it is sent to MongoDB or while it is in an encrypted database. To |
| 30 | +enable in-use encryption in an application and authorize it to decrypt |
| 31 | +data, you must create encryption keys that only your application can |
| 32 | +access. Only applications that have access to your encryption |
| 33 | +keys can access the decrypted, plaintext data. If an attacker gains |
| 34 | +access to the database, they can see only the encrypted ciphertext data |
| 35 | +because they lack access to the encryption keys. |
| 36 | + |
| 37 | +You can use in-use encryption to encrypt fields in your MongoDB |
| 38 | +documents that contain the following types of sensitive data: |
| 39 | + |
| 40 | +- Credit card numbers |
| 41 | +- Addresses |
| 42 | +- Health information |
| 43 | +- Financial information |
| 44 | +- Any other sensitive or personally identifiable information (PII) |
| 45 | + |
| 46 | +MongoDB offers the following features to enable in-use encryption: |
| 47 | + |
| 48 | +- :ref:`Queryable Encryption <ruby-in-use-encryption-qe>` |
| 49 | +- :ref:`Client-side Field Level Encryption <ruby-in-use-encryption-csfle>` |
| 50 | + |
| 51 | +.. _ruby-in-use-encryption-qe: |
| 52 | + |
| 53 | +Queryable Encryption |
| 54 | +-------------------- |
| 55 | + |
| 56 | +Queryable Encryption is the next-generation in-use encryption feature, |
| 57 | +first introduced as a preview feature in {+mdb-server+} version 6.0 and |
| 58 | +as a generally available (GA) feature in MongoDB 7.0. Queryable |
| 59 | +Encryption supports searching encrypted fields for equality and encrypts |
| 60 | +each value uniquely. |
| 61 | + |
| 62 | +.. important:: Preview Feature Incompatible with MongoDB 7.0 |
| 63 | + |
| 64 | + The implementation of Queryable Encryption in MongoDB 6.0 is incompatible with |
| 65 | + the GA version introduced in MongoDB 7.0. The Queryable Encryption preview |
| 66 | + feature is no longer supported. |
| 67 | + |
| 68 | +To learn more about Queryable Encryption, see :manual:`Queryable |
| 69 | +Encryption </core/queryable-encryption/>` in the {+mdb-server+} manual. |
| 70 | + |
| 71 | +.. _ruby-in-use-encryption-csfle: |
| 72 | + |
| 73 | +Client-side Field Level Encryption |
| 74 | +---------------------------------- |
| 75 | + |
| 76 | +Client-side Field Level Encryption (CSFLE) was introduced in {+mdb-server+} |
| 77 | +version 4.2 and supports searching encrypted fields for equality. |
| 78 | +CSFLE differs from Queryable Encryption in that you can select either a |
| 79 | +deterministic or random encryption algorithm to encrypt fields. You can only |
| 80 | +query encrypted fields that use a deterministic encryption algorithm when |
| 81 | +using CSFLE. When you use a random encryption algorithm to encrypt |
| 82 | +fields in CSFLE, they can be decrypted, but you cannot perform equality |
| 83 | +queries on those fields. When you use Queryable Encryption, you cannot |
| 84 | +specify the encryption algorithm, but you can query all encrypted |
| 85 | +fields. |
| 86 | + |
| 87 | +When you deterministically encrypt a value, the same input value |
| 88 | +produces the same output value. While deterministic encryption allows |
| 89 | +you to perform queries on those encrypted fields, encrypted data with |
| 90 | +low cardinality is susceptible to code breaking by frequency analysis. |
| 91 | + |
| 92 | +.. tip:: |
| 93 | + |
| 94 | + To learn more about these concepts, see the following Wikipedia |
| 95 | + entries: |
| 96 | + |
| 97 | + - :wikipedia:`Cardinality <w/index.php?title=Cardinality_(data_modeling)&oldid=1182661589>` |
| 98 | + - :wikipedia:`Frequency Analysis <w/index.php?title=Frequency_analysis&oldid=1182536787>` |
| 99 | + |
| 100 | +To learn more about CSFLE, see :manual:`CSFLE </core/csfle/>` in the {+mdb-server+} |
| 101 | +manual. |
0 commit comments