@@ -126,6 +126,47 @@ Note that the ``keyId`` field requires a unique {+dek-long+} (DEK) which {+qe+}
126126uses to encrypt the fields. For more information on DEKs, see
127127:ref:`qe-fundamentals-manage-keys`.
128128
129+ Client and Server Schemas
130+ ~~~~~~~~~~~~~~~~~~~~~~~~~
131+
132+ .. content copied from source/core/csfle/fundamentals/automatic-encryption.txt
133+
134+ MongoDB supports using
135+ :ref:`schema validation <schema-validation-overview>`
136+ to enforce encryption of specific fields
137+ in a collection. Clients performing automatic {+qe+} have
138+ specific behavior depending on the database connection
139+ configuration:
140+
141+ - If the connection
142+ ``encryptedFieldsMap`` object contains a key for the specified collection, the
143+ client uses that object to perform automatic {+qe+},
144+ rather than using the remote schema. At a minimum, the local rules **must**
145+ encrypt those fields that the remote schema marks as requiring
146+ encryption.
147+
148+ - If the connection
149+ ``encryptedFieldsMap`` object does *not* contain a key for the specified
150+ collection, the client downloads the server-side remote schema for
151+ the collection and uses it to perform automatic {+qe+}.
152+
153+ .. important:: Behavior Considerations
154+
155+ When a client does not have an encryption schema for the
156+ specified collection, the following occurs:
157+
158+ - The client trusts that the server has a valid schema with respect
159+ to automatic {+qe+}.
160+
161+ - The client uses the remote schema to perform automatic
162+ {+qe+} only. The client does not enforce any other
163+ validation rules specified in the schema.
164+
165+ To learn more about automatic {+qe+}, see the following resources:
166+
167+ - :ref:`{+qe+} Introduction <manual-qe-mechanisms>`
168+ - :ref:`<qe-quick-start>`
169+
129170Specify Queryable Encrypted Fields
130171----------------------------------
131172
0 commit comments