Encryption
MongoDB offers encryption at several layers, each protecting against a different threat. Understanding what each one actually guards against — and what it doesn't — matters more than enabling all of them blindly.
TLS in Transit
TLS encrypts data moving between the client and the server (and between cluster members). It protects against network eavesdropping and man-in-the-middle attacks — it does nothing for data sitting on disk.
# mongod.conf
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/ca.pemmongosh --tls --tlsCAFile ca.pem "mongodb://host:27017/shop"
requireTLS should be the target for any production deployment.Encryption at Rest
Encryption at rest protects the data files on disk — if someone steals a physical drive or an unencrypted backup file, the data is unreadable without the encryption key. It protects against disk/media theft; it does nothing against someone who already has an authenticated connection to a running server.
Atlas encrypts all data at rest by default (AES-256), with an option to bring your own encryption key (KMIP-compatible KMS: AWS KMS, Azure Key Vault, Google Cloud KMS).
Self-hosted WiredTiger supports native encryption at rest (Enterprise edition), configured with a local keyfile or an external KMIP server.
Cloud provider disk-level encryption (e.g. EBS encryption) is a reasonable substitute if the storage engine option is unavailable, though it protects at a different layer.
# mongod.conf — Enterprise, encryption at rest via local keyfile security: enableEncryption: true encryptionKeyFile: /etc/mongodb/encryption-keyfile
Client-Side Field Level Encryption (CSFLE)
CSFLE encrypts specific fields on the client, before the data ever leaves your application — the server (and anyone with database access, including a DBA or an attacker who compromises the server) only ever sees ciphertext for those fields. Decryption happens only on authorized clients holding the data encryption key.
const encryptedFieldsMap = {
"shop.customers": {
fields: [
{
path: "ssn",
bsonType: "string",
keyId: dataKeyId
}
]
}
}
const secureClient = new MongoClient(uri, {
autoEncryption: {
keyVaultNamespace: "encryption.__keyVault",
kmsProviders: { local: { key: localMasterKey } },
encryptedFieldsMap
}
})
// Writes/reads through secureClient transparently encrypt/decrypt "ssn";
// a plain client (or anyone querying directly) only ever sees ciphertext
await secureClient.db("shop").collection("customers").insertOne({
name: "Alice",
ssn: "123-45-6789" // encrypted automatically before leaving the app
})Queryable Encryption
Queryable Encryption is MongoDB's newer approach to the same problem CSFLE solves, but with structured encryption that supports equality queries (and, in newer versions, range queries) on encrypted fields — without the server ever seeing the plaintext or the query predicate in the clear. It uses specialized encrypted index structures instead of exposing a deterministic ciphertext pattern.
const encryptedFieldsMap = {
"shop.customers": {
fields: [
{ path: "ssn", bsonType: "string", queries: { queryType: "equality" } }
]
}
}
// Query as normal — the driver handles encrypting the query predicate
await secureClient.db("shop").collection("customers").findOne({ ssn: "123-45-6789" })What Each Layer Protects Against
Mechanism | Protects Against | Does NOT Protect Against |
|---|---|---|
TLS in transit | Network eavesdropping, MITM | Data at rest, a compromised server |
Encryption at rest | Stolen disks/media, unencrypted backup leaks | An attacker with an authenticated live connection |
CSFLE | Server-side/DBA visibility, a compromised database server | A compromised application server holding the key |
Queryable Encryption | Same as CSFLE, plus supports queries without server-side plaintext exposure | A compromised application server holding the key |
Summary
TLS protects data in transit; encryption at rest protects data on disk — neither protects against a live, authenticated attacker reading through the database.
CSFLE encrypts specific fields client-side so the server never sees plaintext, at the cost of limited query capability.
Queryable Encryption extends the same guarantee to support equality (and increasingly range) queries on encrypted fields.
Use all four layers together for defense in depth — they protect against different threat models, not the same one.