• Security >
• Encryption >
• In-Use Encryption >
• Introduction >
• Reference >
• Server-Side Schema Enforcement

Server-Side Schema Enforcement

In ()-enabled client applications, you can use schema validation to have your MongoDB instance enforce encryption of specific fields. To specify which fields require encryption, use the automatic encryption rule keywords with the $jsonSchema validation object. The server rejects any write operations to that collection where the specified fields are not Binary (BinData) subtype 6 objects.

To learn how a -enabled client configured to use automatic encryption behaves when it encounters a server-side schema, see Server-Side Field Level Encryption Enforcement.

To learn how a -enabled client configured to use

behaves when it encounters a server-side schema,

see Server-Side Field Level Encryption Enforcement.

Example

Consider an hr database with an employees collection. Documents in the employees collection have the following form:

copy

{
  "name": "Jane Doe",
  "age": 51
}

You want to enforce the following behavior for client applications using your collection:

• When encrypting the age field, clients must follow these encryption rules:
  • Use the with an _id of UUID("e114f7ad-ad7a-4a68-81a7-ebcb9ea0953a").
  • Use the randomized encryption algorithm.
  • The age field must be an integer.
• When encrypting the name field, clients must follow these encryption rules:
  • Use the with an _id of UUID("33408ee9-e499-43f9-89fe-5f8533870617").
  • Use the deterministic encryption algorithm.
  • The name field must be a string.

The following mongosh code uses the collMod command to update the hr.employees collection to include a validator to enforce the preceding behavior:

copy

db.getSiblingDB("hr").runCommand({
  collMod: "employees",
  validator: {
    $jsonSchema: {
      bsonType: "object",
      properties: {
        age: {
          encrypt: {
            keyId: [UUID("e114f7ad-ad7a-4a68-81a7-ebcb9ea0953a")],
            algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Random",
            bsonType: "int",
          },
        },
        name: {
          encrypt: {
            keyId: [UUID("33408ee9-e499-43f9-89fe-5f8533870617")],
            algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
            bsonType: "string",
          },
        },
      },
    },
  },
});

Learn More

To learn more about the encryption algorithms supports, see Fields and Encryption Types.

To learn more about encryption schemas and encryption rules, see Encryption Schemas.

←   Encryption Schemas Supported Operations for Automatic Encryption  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.