Server-Side Schema Enforcement

On this page

Example
Learn More

Queryable Encryption is generally available (GA) in MongoDB 7.0. To learn more, see Queryable Encryption.

In Client-Side Field Level Encryption (CSFLE)-enabled client applications, you can use schema validation to have your MongoDB instance enforce encryption of specific fields. To specify which fields require encryption, use the automatic encryption rule keywords with the $jsonSchema validation object. The server rejects any write operations to that collection where the specified fields are not Binary (BinData) subtype 6 objects.

To learn how a CSFLE-enabled client configured to use automatic encryption behaves when it encounters a server-side schema, see Server-Side Field Level Encryption Enforcement.

To learn how a CSFLE-enabled client configured to use explicit encryption behaves when it encounters a server-side schema, see Server-Side Field Level Encryption Enforcement.

Example

Consider an hr database with an employees collection. Documents in the employees collection have the following form:

{
  "name": "Jane Doe",
  "age": 51
}

You want to enforce the following behavior for client applications using your collection:

When encrypting the age field, clients must follow these encryption rules:
- Use the Data Encryption Key with an _id of UUID("e114f7ad-ad7a-4a68-81a7-ebcb9ea0953a").
- Use the randomized encryption algorithm.
- The age field must be an integer.
When encrypting the name field, clients must follow these encryption rules:
- Use the Data Encryption Key with an _id of UUID("33408ee9-e499-43f9-89fe-5f8533870617").
- Use the deterministic encryption algorithm.
- The name field must be a string.

The following mongosh code uses the collMod command to update the hr.employees collection to include a validator to enforce the preceding behavior:

db.getSiblingDB("hr").runCommand({
  collMod: "employees",
  validator: {
    $jsonSchema: {
      bsonType: "object",
      properties: {
        age: {
          encrypt: {
            keyId: [UUID("e114f7ad-ad7a-4a68-81a7-ebcb9ea0953a")],
            algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Random",
            bsonType: "int",
          },
        },
        name: {
          encrypt: {
            keyId: [UUID("33408ee9-e499-43f9-89fe-5f8533870617")],
            algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
            bsonType: "string",
          },
        },
      },
    },
  },
});

Learn More

To learn more about the encryption algorithms CSFLE supports, see Fields and Encryption Types.

To learn more about encryption schemas and encryption rules, see Encryption Schemas.

← Encryption SchemasSupported Operations for Automatic Encryption →