MongoDB Client-Side Field Level Encryption | MongoDB - 188博金宝网页,188博金宝app网站,188金宝搏手机客户端安卓下载

How Client-Side Field Level Encryption Works

Your most sensitive data, such as PII, is automatically encrypted by the MongoDB drivers before leaving the application, and so the database server only ever works with it as ciphertext. Client-Side encryption protects data while it is in-use by the database, securing it against sophisticated exploits that target server memory.

The flow of a query submitted by an authenticated client using FLE

The flow of a query submitted by an authenticated client using FLE

终端

Data is encrypted in-motion, in-memory, and at-rest

容易

No need to modify your code

Queryable

Index and query against encrypted fields in your documents

Inaccessible to Admins

The databaseonly与密文和only youcontrol the keys

行业标准

NIST-certified AES, integrated with leading KMS’. Open source crypto framework

查看文档

How Client-Side Field Level Encryption Helps You

Client-side encryption dramatically reduces the risk of unauthorized access or disclosure of sensitive data. Fields are encrypted before they leave your application, protecting them everywhere: in-motion over the network, in database memory, at-rest in storage and backups, and in system logs.

Accelerate Your Move to the Cloud

Enforces a fine-grained separation of duties between those who use the database and those who manage it. Cloud vendor staff only ever see ciphertext

Comply with Right to Erasure Mandates

Makes it much easier to meet modern privacy regulations. Simply destroy the encryption key and the user’s PII is unreadable and irrecoverable

“We’ve ended up with anuclear launch-code level of security. It works at scale, it works with the tools that developers understand, and it removes a huge layer of concern and management of security.”

Michael Oltman, CTO, Apervita

Ready to try out Client-Side Field Level Encryption?

免费启动您的地图集数据库群集，以分钟为单位

MongoDB Client-Side Encryption FAQ

What data can I encrypt?

客户端FLE非常灵活。您可以在文档中选择性地加密文档中的多个字段，或文档中的多个字段或整个文档。每个字段可以选择用其自己的密钥固定，并且在客户端上无缝解密。

支持哪些加密算法和关键管理服务？

Client-Side FLE uses standard NIST FIPS-certified encryption primitives including AES at the 256-bit security level, in authenticated CBC mode: AEAD AES-256-CBC encryption algorithm with HMAC-SHA-512 MAC. Data encryption keys are protected by strong symmetric encryption with standard wrapping Key Encryption Keys, which can be natively integrated with external key management services backed by FIPS 140-2 validated Hardware Security Modules (HSMs). Client-Side FLE is available with Amazon KMS, Azure Key Vault and Google Cloud KMS. You can also use remote secure web services to consume an external key or secrets manager such as Hashicorp Vault.

What is the performance impact of Client-Side Encryption?

所有加密和解密都发生在客户端，因此对数据库服务器本身的性能影响最小。

The performance impact to the client depends on how many fields are being encrypted and on your specific workload. Latency overhead is as low as a few percent, or it can be higher if every single field in every document is being separately encrypted while being read and written in every operation. To give an indication of performance impact,Apervitasaw a 10-15% overhead for multiple fields in heavily encrypted, high volume medical records.

数据是否加密客户端仍然在数据库中查询？

Client-Side FLE supports two modes of field encryption:确定性和随机化.

By using deterministic encryption, you can perform equality queries on encrypted fields. You can query both top level document fields and fields nested in sub-documents and arrays. Regular find(), update(), and aggregation pipeline analytical queries are supported, and indexes can be used to efficiently access the encrypted fields.

Randomized encryption does not allow any read operations to match directly against the encrypted field.

Reads against fields in the document that are not encrypted client-side will evaluate as normal, as part of any query, search, or aggregation pipeline operation.

Which versions of MongoDB support Client-Side FLE?

只要您使用支持的驱动程序运行MongoDB 4.2及以188金宝搏手机客户端安卓下载上，您可以在任何地方使用Fle：

In188金宝搏手机客户端安卓下载MongoDB Atlas.在AWS，Azure和Google云上
Or on infrastructure you run yourself with188金宝搏手机客户端安卓下载MongoDB企业or the MongoDB community server.

客户端FLE支持20+平台和多个平台programming language drivers.

您选择使用客户端飞行的地方的一个区别是MongoDB Atlas和MongoDB Enterprise支持读写操作中的字段的自动加密188金宝搏手机客户端安卓下载，而社区数据库需要显式加密应用程序代码中的字段。核心加密图书馆本身是相同的。

客户端如何与网络（飞行中）和存储（at-Rect）加密进行比较？

Client-Side FLE is best applied selectively to those fields of your documents that you classify as containing the most sensitive data, such as PII.

Using Client-Side FLE alongside in-flight and at-rest encryption gives you an end-to-end, complementary approach in building applications that provide a defense-in-depth security posture to address different threat models.

In-flight encryption protects all data traversing the network, but does not encrypt data in-memory or at-rest.
At-rest encryption protects all stored data, but does not encrypt data in-memory or in-flight.
With client-side encryption, your most sensitive data never leaves your application in plaintext. Fields that are encrypted client-side remain encrypted over the network, as they are being processed in database server memory, and at-rest in storage, backups, and logs.