Select Page

MongoDB Encryption Solutions

Author: Hanan Alsahsan | | February 5, 2020

Database security is a fundamental factor to consider for any application that involves sensitive data such as personally identifiable, health care, federal government, and financial information. Encryption is a key security mechanism that help protect sensitive data also addresses the compliance obligations.

Protecting your data can be accomplished by encrypting at different levels starting from the application level ending by the field holding the data.

Encryption is on the top of the list of MongoDB security checklist. MongoDB offers several methods to encrypt your data, let’s take a look at your options.

Transport Encryption

MongoDB uses (TLS/SSL) transport encryption to encrypt all data in transit between MongoDB and application in both directions.  To use TLS/SSL you must have a valid and working TLS/SSL certificate that include PEMKeyfile and CAFile. You may consider one of the options to enable TLS/SSL on MongoDB deployment either self-signed certificate or third-party authority certificate. You can only use a 128-bit key length or higher to encrypt MongoDB database using TLS/SSL.

TLS/SSL allow you to encrypt all the incoming and outgoing communication as listed below:

  • mongod and mongos
  • MongoDB Drivers
  • Default mongodb tools
  • MongoDB Atlas, MongoDB Cloud Manager and MongoDB Ops Manage

Also, you can upgrade your cluster to use TLS/SSL by using rolling upgrade process and enable TLS/SSL.

At-Rest Encryption

The Encryption-At-Rest feature is only available starting in MongoDB Enterprise version 3.2 by using the WiredTiger storage engine and it is not supported with MMAPv1. It encrypts the MongoDB database files resides on the disk.

There are two key management options introduced in MongoDB 3.4 and described as below:

  1. KMIP Key Manager : Integration with external key management system and KMIP communication procedures.
  2. Local Key Management: Using a local keyfile.


You can you enable the Encryption-At-Rest feature for an existing replica set and shared cluster deployment by migrating an existing unencrypted data into a running mongod instance with encryption enabled and using rolling upgrade. For a standalone deployment you can use MongoDB backup and restore tools to backup unencrypted data and restore it into an encrypted deployment.

Client-Side Field Level Encryption (FLE)

This is a new feature MongoDB introduced in MonogDB version 4.2. You can use this method if you would like to encrypt and decrypt sensitive data on the client-side prior to transmitting it to the server. The applications need to have the correct encryption keys to decrypt and read the data. You won’t be able to read the encrypted data if you delete the encryption key. You can create and manage encryption keys using AWS Key Management Service (KMS).

Field Level Encryption implantation does not store encryption keys or encrypt and decrypt processes on the server. On the other hand, it uses MongoDB client library to work as the driver and do all the encryption and decryption processes on the client side. FLE mechanism protect individual fields in a document and revealing it only to the sender and the recipient.

Supported Encryption Methods

  • Manual encryption of fields
  • Automatic encryption of fields

No matter what MongoDB version your organization is running, rest assured that encryption is a top priority feature for MongoDB ensuring your data is secure at all times. If you’re looking for additional support on MongoDB whether it be security or otherwise, please contact us. We’re a Premier Partner and can help you with your solution needs.

Further Reading:

A Faster Future with Newly Released MongoDB 4.2

Feed Your Need for Speed with MongoDB 4.2

How to Solve the Oracle Error ORA-12154: TNS:could not resolve the connect identifier specified

The “ORA-12154: TNS Oracle error message is very common for database administrators. Learn how to diagnose & resolve this common issue here today.

Vijay Muthu | February 4, 2021

Data Types: The Importance of Choosing the Correct Data Type

Most DBAs have struggled with the pros and cons of choosing one data type over another. This blog post discusses different situations.

Craig Mullins | October 11, 2017

How to Recover a Table from an Oracle 12c RMAN Backup

Our database experts explain how to recover and restore a table from an Oracle 12c RMAN Backup with this step-by-step blog. Read more.

Megan Elphingstone | February 2, 2017

Subscribe to Our Blog

Never miss a post! Stay up to date with the latest database, application and analytics tips and news. Delivered in a handy bi-weekly update straight to your inbox. You can unsubscribe at any time.

Work with Us

Let’s have a conversation about what you need to succeed and how we can help get you there.


Work for Us

Where do you want to take your career? Explore exciting opportunities to join our team.