Docs Home → Develop Applications → MongoDB Manual

Queryable Encryption

On this page

Introduction

Considerations
Compatibility
MongoDB Support Limitations
Features
Install
Quick Start
Fundamentals
Tutorials
Reference

Queryable Encryption with equality queries is generally available (GA) in MongoDB 7.0 and later. The Queryable Encryption Public Preview, released in version 6.0, is no longer supported. Data encrypted using the Public Preview is incompatible with the feature release. For more information, see Compatibility Changes in MongoDB 7.0.

Introduction

Queryable Encryption gives you the ability to perform the following tasks:

Encrypt sensitive data fields from the client-side.
Store sensitive data fields as fully randomized encrypted data on the database server-side.
Run expressive queries on the encrypted data.

These tasks are all completed without the server having knowledge of the data it's processing.

Sensitive data is encrypted throughout its lifecycle - in-transit, at-rest, in-use, in logs, and backups - and only ever decrypted on the client-side, since only you have access to the encryption keys.

Queryable Encryption introduces an industry-first fast, searchable encryption scheme developed by the pioneers in encrypted search. The feature supports equality searches, with additional query types such as range, prefix, suffix, and substring planned for future releases.

You can set up Queryable Encryption using the following mechanisms:

Automatic Encryption: Enables you to perform encrypted read and write operations without you having to write code to specify how to encrypt fields.
Explicit Encryption: Enables you to perform encrypted read and write operations through your MongoDB driver's encryption library. You must specify the logic for encryption with this library throughout your application.

Considerations

When implementing an application that uses Queryable Encryption, consider the points listed in Security Considerations.

For other limitations, see Queryable Encryption limitations.

Compatibility

The following table shows which MongoDB server products support which Queryable Encryption mechanisms:

Product Name	Supports Automatic Encryption	Supports Explicit Encryption
MongoDB Atlas	Yes	Yes
MongoDB Enterprise Advanced	Yes	Yes
MongoDB Community Edition	No	Yes

To learn which MongoDB drivers support Queryable Encryption, see Queryable Encryption Compatibility.

MongoDB Support Limitations

Enabling Queryable Encryption on a collection redacts fields from some diagnostic commands and omits some operations from the query log. This limits the data available to MongoDB support engineers, especially when analyzing query performance. To measure the impact of operations against encrypted collections, use a third party application performance monitoring tool to collect metrics.

For details, see Redaction.

Features

To learn about the security benefits of Queryable Encryption for your applications, see the Features page.

Install

To learn what you must install to use Queryable Encryption, see the Install a Queryable Encryption Compatible Driver and Install and Configure a Queryable Encryption Library pages.

Quick Start

To start using Queryable Encryption, see the Quick Start.

Fundamentals

To learn about encryption key management, see Encryption Keys and Key Vaults.

To learn how Queryable Encryption works, see the Fundamentals section, which contains the following pages:

Tutorials

To learn how to perform specific tasks with Queryable Encryption, see the Tutorials section.

Reference

To view information to help you develop your Queryable Encryption enabled applications, see the Reference section.

The reference section contains the following pages:

← KMS Providers

Features →

Queryable Encryption.css-134mg1q{-webkit-align-self:center;-ms-flex-item-align:center;align-self:center;padding:0 10px;visibility:hidden;}.css-6vrlzm{border-radius:0!important;display:initial!important;margin:initial!important;}.css-1l4s55v{margin-top:-175px;position:absolute;padding-bottom:2px;}