11# Client Side Encryption
22
33- Status: Accepted
4- - Minimum Server Version: 4.2 (CSFLE), 6 .0 (Queryable Encryption )
4+ - Minimum Server Version: 4.2 (CSFLE), 7 .0 (QE )
55- Version: 1.14.0
66
77______________________________________________________________________
@@ -11,11 +11,43 @@ ______________________________________________________________________
1111MongoDB 4.2 introduced support for client side encryption, guaranteeing that sensitive data can only be encrypted and
1212decrypted with access to both MongoDB and a separate key management provider (supporting AWS, Azure, GCP, a local
1313provider, and KMIP). Once enabled, data can be seamlessly encrypted and decrypted with minimal application code changes.
14- 6 .0 introduced the next generation of client side encryption based on a Structured Encryption framework which allows
14+ 7 .0 introduced the next generation of client side encryption based on a Structured Encryption framework which allows
1515expressive encrypted search operations. This spec covers both capabilities - 1st generation, "Client Side Field Level
1616Encryption" and generation 2, "Queryable Encryption" - as the associated core cryptographic library and supporting
1717drivers share a common codebase.
1818
19+ ### Naming
20+
21+ The public name of this feature is
22+ [ In-Use Encryption] ( https://www.mongodb.com/docs/manual/core/security-in-use-encryption/ ) and consists of:
23+
24+ - Client-Side Field Level Encryption (CSFLE).
25+ - Queryable Encryption (QE).
26+
27+ Internally, In-Use Encryption is sometimes called Field Level Encryption (FLE). Internally, CSFLE is sometimes called
28+ Client Side Encryption (like this specification). Internally, CSFLE and QE are sometimes called FLE1 and FLE2,
29+ respectively.
30+
31+ ### Server support history
32+
33+ MongoDB 4.2 added support for CSFLE. This includes ` encrypt ` in JSON Schema
34+ ([ SERVER-38900] ( https://jira.mongodb.org/browse/SERVER-38900 ) ) and [ mongocryptd] ( #mongocryptd )
35+ ([ SPM-1258] ( https://jira.mongodb.org/browse/SPM-1258 ) ).
36+
37+ MongoDB 5.3 added the [ crypt_shared] ( #crypt_shared ) library ([ SPM-2403] ( https://jira.mongodb.org/browse/SPM-2403 ) ).
38+
39+ MongoDB 6.0 added unstable support for QE (QEv1) ([ SPM-2463] ( https://jira.mongodb.org/browse/SPM-2463 ) ). This includes
40+ ` queryType=equality ` .
41+
42+ MongoDB 6.2 added unstable support for QE range queries ([ SPM-2719] ( https://jira.mongodb.org/browse/SPM-2719 ) ). This
43+ includes ` queryType=rangePreview ` .
44+
45+ MongoDB 7.0 dropped QEv1 and added stable support of QE (QEv2) ([ SPM-2972] ( https://jira.mongodb.org/browse/SPM-2972 ) ).
46+ QEv1 and QEv2 are incompatible.
47+
48+ MongoDB 8.0 dropped ` queryType=rangePreview ` and added ` queryType=range `
49+ ([ SPM-3583] ( https://jira.mongodb.org/browse/SPM-3583 ) ).
50+
1951## META
2052
2153The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
@@ -45,19 +77,19 @@ An external service providing fixed-size encryption/decryption. Only data keys a
4577
4678** KMS providers**
4779
48- > A map of KMS providers to credentials. Configured client-side. Example:
49- >
50- > ```python
51- > kms_providers = {
52- > "aws": {
53- > "accessKeyId": AWS_KEYID,
54- > "secretAccessKey": AWS_SECRET,
55- > },
56- > "local": {
57- > "key": LOCAL_KEK
58- > },
59- > }
60- > ```
80+ A map of KMS providers to credentials. Configured client-side. Example:
81+
82+ ``` python
83+ kms_providers = {
84+ " aws"
85+ " accessKeyId" AWS_KEYID ,
86+ " secretAccessKey" AWS_SECRET ,
87+ },
88+ " local"
89+ " key" LOCAL_KEK
90+ },
91+ }
92+ ```
6193
6294** KMS provider**
6395
@@ -103,8 +135,8 @@ provided as part of a MongoDB Enterprise distribution. It replaces [mongocryptd]
103135
104136See also:
105137
106- > - [Introduction on crypt_shared](#crypt_shared)
107- > - [Enabling crypt_shared](#enabling-crypt_shared)
138+ - [ Introduction on crypt_shared] ( #crypt_shared )
139+ - [ Enabling crypt_shared] ( #enabling-crypt_shared )
108140
109141** ciphertext**
110142
0 commit comments