Client-Side Field Level Encryption
Learners will configure MongoDB's Client-Side Field Level Encryption to encrypt individual sensitive fields before they leave the application, keeping plaintext out of the server.
Why Field-Level Encryption?
Even with TLS and encryption at rest, the MongoDB server sees plaintext data once it is decrypted from disk. A compromised DBA account, a rogue cloud engineer with disk access, or a database backup leak could expose sensitive fields. Client-Side Field Level Encryption (CSFLE) solves this by encrypting individual sensitive fields — like SSNs, credit card numbers, or health data — inside the client driver, before the data ever reaches the server. The server only ever stores ciphertext.
How CSFLE Works at a High Level
CSFLE uses two layers of keys. The Customer Master Key (CMK) is stored in an external Key Management System (AWS KMS, Azure Key Vault, GCP KMS, or a local key). The CMK encrypts a Data Encryption Key (DEK), which is stored in a MongoDB collection called the Key Vault. The driver fetches and decrypts the DEK using the CMK at query time, then uses the DEK to encrypt/decrypt individual field values. The server never sees the CMK or the DEK in plaintext.
All lessons in this course
- Authentication Mechanisms: SCRAM and x.509
- Role-Based Access Control: Built-In and Custom Roles
- Encryption at Rest and TLS in Transit
- Client-Side Field Level Encryption