Skip to content

Update index.mdx #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 18, 2025
Merged

Update index.mdx #9

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 45 additions & 48 deletions docs/queryable-encryption/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,62 +7,59 @@ import TabItem from '@theme/TabItem';

# 📘 Queryable Encryption

## Introduction
Queryable Encryption is a groundbreaking technology that allows you to run specific queries on encrypted data without the need to decrypt it on the server. In MongoDB, this means sensitive data can remain encrypted throughout its lifecycle—at rest, in transit, and even during query processing. By enabling Queryable Encryption, you significantly reduce the attack surface by minimizing the exposure of plaintext data, even to authorized database administrators. This strengthens your security posture and helps meet stringent compliance requirements.

Queryable Encryption is a groundbreaking technology that allows you to run specific queries on encrypted data without the need to decrypt it on the server. In MongoDB, this means sensitive data can remain encrypted throughout its lifecycle – at rest, in transit, and even during query processing. By enabling Queryable Encryption, you significantly reduce the attack surface by minimizing the exposure of plaintext data, even to authorized database administrators. This strengthens your security posture and helps meet stringent compliance requirements.

## Why is Queryable Encryption Important in MongoDB?
## Why is Queryable Encryption important in MongoDB?

MongoDB, while offering various security features, can benefit significantly from Queryable Encryption for scenarios involving highly sensitive data. By implementing it, you ensure:
- **Enhanced Data Protection**: Sensitive data remains encrypted even when it is being processed on the database side, minimizing the risk of exposure in case of a security breach or unauthorized access.
- **Compliance with Regulations**: Helps meet stringent data privacy regulations like GDPR, HIPAA, and others that mandate strong encryption and control over sensitive information.
- **Reduced Insider Threat**: Even database administrators or authorized personnel with access to the database infrastructure cannot see the plaintext data without the appropriate decryption keys managed outside of the database.
- **Maintain Functionality**: Unlike traditional encryption where data needs to be decrypted for querying, Queryable Encryption allows you to perform specific types of queries directly on the encrypted data, preserving application functionality.
- **Enhanced data protection**: Sensitive data remains encrypted even when it is being processed on the database side, minimizing the risk of exposure in case of a security breach or unauthorized access.
- **Compliance with regulations**: Meet stringent data privacy regulationslike GDPR and HIPAA—that mandate strong encryption and control over sensitive information.
- **Reduced insider threat**: Even database administrators or authorized personnel with access to the database infrastructure cannot see the plaintext data without the appropriate decryption keys managed outside of the database.
- **Maintained functionality**: Unlike traditional encryption where data needs to be decrypted for querying, Queryable Encryption allows you to perform specific types of queries directly on the encrypted data, preserving application functionality.

## Overview

<Tabs>
<TabItem value="atlas" label="MongoDB Atlas">

In MongoDB Atlas, Queryable Encryption is available for:
- M10 or larger clusters
- MongoDB 7.0 or later
- Enterprise or Atlas deployments
- M10 or larger clusters.
- MongoDB 7.0 or later.
- Enterprise or Atlas deployments.

To enable Queryable Encryption:
1. Create an encryption key in your preferred Key Management System (local, AWS KMS, Azure Key Vault, GCP KMS)
2. Configure your Atlas cluster to use the KMS provider
3. Use the MongoDB driver with Queryable Encryption support
1. Create an encryption key in your preferred key management system (local, AWS KMS, Azure Key Vault, GCP KMS).
2. Configure your Atlas cluster to use the KMS provider.
3. Use the MongoDB driver with Queryable Encryption support.

</TabItem>
<TabItem value="onprem" label="On-Premises">

For self-hosted MongoDB deployments:
- Requires Enterprise Edition for Client Side Level Encryption (community versions support Queryable Encryption only)
- Requires Enterprise Edition for client-side field level encryption (community versions support Queryable Encryption only)
- MongoDB 7.0 or later
- A supported Key Management System
- A supported key management system

Configuration steps:
1. Set up a Key Management System
1. Set up a key management system
2. Configure mongod with encryption settings
3. Use the MongoDB driver with Queryable Encryption support

</TabItem>
</Tabs>

## Key Concepts in Queryable Encryption:
## Key concepts in Queryable Encryption

- **Key Management System (KMS)**: A secure system for managing encryption keys. MongoDB Queryable Encryption relies on either local keys/on-premises vaults like Hasicorp, or external KMS providers like AWS KMS, Azure Key Vault, Google Cloud KMS to store and manage the cryptographic keys.
- **Key management system (KMS)**: A secure system for managing encryption keys. MongoDB Queryable Encryption relies on either local keys/on-premises vaults like Hashicorp, or external KMS providers like AWS KMS, Azure Key Vault, or Google Cloud KMS to store and manage the cryptographic keys.
- **Encryption on Field Level Basis**: Encryption and decryption operations are performed on the client-side application before data is sent to or retrieved from the MongoDB server. This ensures that the server only handles encrypted data.
- **Encryption Schema**: Defines which fields in your documents need to be encrypted and specifies the type of encryption to be used for each field, influencing the types of queries that can be performed on that field.

## Implementation


### Setting Up Queryable Encryption

1. Configure KMS Provider:
This step configures the Key Management System (KMS) provider. In this example, it shows how to configure AWS KMS by providing access key ID and secret access key. It also shows how to configure a master key with its key, region, and endpoint.
1. Configure KMS provider
In this example, see how to configure AWS KMS by providing access key ID and secret access key. It also shows how to configure a master key with its key, region, and endpoint.
```python
const kmsProviders = {
aws: {
Expand All @@ -86,14 +83,14 @@ kms_providers = {"local": {"key": local_master_key}}
```


2. Create Client Encryption:
2. Create client encryption
This step creates a client with auto encryption options.
```python
encrypted_client = MongoClient(
new_connection, auto_encryption_opts=auto_encryption_options)
```

3. Define Encryption Schema:
3. Define encryption schema
This step defines the encryption schema for the fields that need to be encrypted. In this example, the "accountNumber" field is configured for equality queries.
```python
encrypted_fields_map = {
Expand All @@ -109,9 +106,9 @@ encrypted_fields_map = {
```


## Using Encrypted Fields
## Using encrypted fields

### Creating & Querying Documents with Encrypted Fields
### Creating & querying documents with encrypted fields

The following example demonstrates the complete workflow for creating and querying documents with encrypted fields:

Expand Down Expand Up @@ -167,50 +164,50 @@ find_result = encrypted_collection.find_one({
print(find_result) # The result is automatically decrypted when retrieved
```

This example demonstrates the power of Queryable Encryption - you can work with encrypted data as if it were normal data, while the encryption and decryption happen automatically in the background based on your schema configuration.
This example demonstrates the power of Queryable Encryptionyou can work with encrypted data as if it were normal data, while the encryption and decryption happen automatically in the background based on your schema configuration.

## Supported Query Types
## Supported query types

Queryable Encryption supports various query types depending on the encryption algorithm:

1. **Equality Queries**
1. **Equality queries**
- Exact matches on encrypted fields
- Supported with deterministic encryption
- Example: `{"encryptedField": "exactValue"}`


2. **Range Queries**
2. **Range queries**
- Comparison operators ($gt, $gte, $lt, $lte)
- Available for range-queryable encrypted fields
- Example: `{"encryptedField": {"$gt": "value"}}`
- Requires RangePreview algorithm


## Best Practices
## Best practices

1. **Key Management**
- Securely Manage KMS Credentials: Protect your KMS access keys and credentials diligently. Use best practices for secret management.
- Regularly rotate encryption keys
- Securely store and backup keys
- Use separate keys for different environments
1. **Key management**
- Securely manage KMS credentials: Protect your KMS access keys and credentials diligently. Use best practices for secret management.
- Regularly rotate encryption keys.
- Securely store and backup keys.
- Use separate keys for different environments.

2. **Performance Considerations**
- Understand Performance Implications: Queryable Encryption involves additional resources for indexing and storage on the server side. Test and optimize your application accordingly. Tune the relevant parameters and document design for best performance.
- Index encrypted fields when needed
- Monitor query performance on encrypted fields
- Use appropriate encryption algorithms
2. **Performance considerations**
- Understand performance implications: Queryable Encryption involves additional resources for indexing and storage on the server side. Test and optimize your application accordingly. Tune the relevant parameters and document design for best performance.
- Index encrypted fields when needed.
- Monitor query performance on encrypted fields.
- Use appropriate encryption algorithms.

3. **Security Guidelines**
- Principle of Least Privilege: Grant only the necessary permissions to access encryption keys.
- Follow the principle of least privilege
- Encrypt only necessary fields
- Regularly audit encryption configurations
3. **Security guidelines**
- Principle of least privilege: Grant only the necessary permissions to access encryption keys.
- Follow the principle of least privilege.
- Encrypt only necessary fields.
- Regularly audit encryption configurations.

## Challenges and Exercises
## Challenges and exercises

For hands-on practice with Queryable Encryption concepts, check out our [practical challenges](./challenge/queryable-encryption).

## Next Steps
## Next steps

After implementing Queryable Encryption, you can reach the final closing phase of Additional Security Considerations and Summary.