Install and Configure mongocryptd for CSFLE

~~On this page~~本页内容

~~Overview~~概述
Installation
Configuration
~~Examples~~实例

MongoDB's Queryable Encryption feature is available (GA) in MongoDB 7.0 and later. To learn more about Queryable Encryption and compare its benefits with Client-Side Field Level Encryption, see Queryable Encryption.

Overview概述

Note

Enterprise Feature

The automatic feature of field level encryption is only available in MongoDB Enterprise 4.2 or later, and MongoDB Atlas 4.2 or later clusters.

mongocryptd is installed with MongoDB Enterprise Server.

When you create a CSFLE-enabled MongoDB client, the mongocryptd process starts automatically by default.

The mongocryptd process:

Uses the specified automatic encryption rules to mark fields in read and write operations for encryption.
Prevents unsupported operations from executing on encrypted fields.
Parses the encryption schema specified for the database connection. Automatic encryption rules use a strict subset of JSON schema syntax. If the rules contain invalid automatic encryption syntax or any document validation syntax, mongocryptd returns an error.

mongocryptd only performs the previous functions, and doesn't perform any of the following:

mongocryptd doesn't perform encryption or decryption
mongocryptd doesn't access any encryption key material
mongocryptd doesn't listen over the network

To perform client-side field level encryption and automatic decryption, Drivers use the Apache-licensed libmongocrypt library

The official MongoDB 4.2+ compatible drivers, mongosh, and the 4.2 or later legacy mongo shell require access to the mongocryptd process on the client host machine. These clients search for the mongocryptd process in the system PATH by default.

Installation

For supported Linux Operating Systems, install the Server package by following the install on Linux tutorial , follow the documented installation instructions and install the mongodb-enterprise server package. Alternatively, specify mongodb-enterprise-cryptd instead to install only the mongocryptd binary. The package manager installs the binaries to a location in the system PATH (e.g. /usr/bin/)

For OSX, install the Server package by following the install on MacOS tutorial. The package manager installs binaries to a location in the system PATH.

For Windows, install the Server package by following the install on Windows tutorial. You must add the mongocryptd package to your system PATH after installation. Defer to documented best practices for your Windows installation for instructions on adding the mongocryptd binary to the system PATH.

For installations via an official tarball or ZIP archive, follow the documented best practices for your operating system to add the mongocryptd binary to your system PATH.

Configuration

If the driver has access to the mongocryptd process, it spawns the process by default.

Note

mongocryptd Port In Use

If a mongocryptd process is already running on the port specified by the driver, the driver may log a warning and continue without spawning a new process. Any settings specified by the driver only apply once the existing process exits and a new encrypted client attempts to connect.

Configure how the driver starts mongocryptd through the following parameters:

~~Name~~名称	~~Description~~描述
port	The port from which `mongocryptd` listens for messages. Default: `27020`
idleShutdownTimeoutSecs	Number of idle seconds the `mongocryptd` process waits before exiting. Default: `60`
mongocryptdURI	The URI on which to run the `mongocryptd` process. Default: `"mongodb://localhost:27020"`
mongocryptdBypassSpawn	When `true`, prevents the driver from automatically spawning `mongocryptd`. Default: `false`
mongocryptdSpawnPath	The full path to `mongocryptd`. Default: Defaults to empty string and spawns from the system path.

Important

Start on Boot

If possible, start mongocryptd on boot, rather than launching it on demand.

Examples实例

To view examples of how to configure your mongocryptd process, click the tab corresponding to the driver you are using in your application:

C#Go Java (Sync)Node.js Python

The following code-snippet sets the listening port configuration of mongocryptd:

autoEncryption: {
  ...
  extraOptions: {
    mongocryptdSpawnArgs: ["--port", "30000"],
    mongocryptdURI: 'mongodb://localhost:30000',
  }

Note

In the NodeJS driver, the mongocryptdURI must match the listening port.

The following code-snippet sets the default timeout configuration of mongocryptd:

autoEncryption: {
  ...
  extraOptions: {
    mongocryptdSpawnArgs: ["--idleShutdownTimeoutSecs", "75"]
  }

← Automatic Encryption Shared Library for CSFLE Install libmongocrypt →