Navigation

Supported Operations for Automatic Encryption

On this page

This page documents the specific commands, query operators, update operators, aggregation stages, and aggregation expressions supported by drivers configured for automatic .

Supported Read and Write Commands

Drivers using automatic support the following commands:

For any supported command, drivers return an error if the command uses an unsupported operator, aggregation stage, or aggregation expression. For a complete list of the supported operators, stages, and expressions, see the following sections of this page:

The following commands do not require automatic encryption. Drivers configured for automatic pass these commands directly to the mongod:

Issuing any other command through a driver configured for automatic returns an error.

[1]

While automatic () does not encrypt the getMore command, the response to the command may contain encrypted field values.

  • Applications configured with the correct options automatically decrypt those values.
  • Applications without the correct options only see the encrypted values.

Supported Query Operators

Drivers configured for automatic allow the following query operators when issued against deterministically encrypted fields:

Queries that compare an encrypted field to null or a regular expression always return an error even when using a supported query operator. Queries issuing these operators against a randomly encrypted field return an error.

The $exists operator has normal behavior when issued against both deterministically and randomly encrypted fields.

Queries specifying any other query operator against an encrypted field return an error.

The following query operators return an error even if not issued against an encrypted field:

Warning

Unexpected Behavior with BinData

MongoDB stores client-side field level encrypted fields as a BinData blob. Read and write operations issued against the encrypted BinData value may have unexpected or incorrect behavior as compared to issuing that same operation against the decrypted value. Certain operations have strict BSON type support where issuing them against a BinData value returns an error.

  • Drivers using automatic parse read and write operations for operators or expressions that do not support BinData values or that have unexpected behavior when issued against BinData values.
  • Applications using explicit (manual) may use this page as guidance for issuing read and write operations against encrypted fields.

Unsupported Insert Operations

Drivers configured for automatic do not support insert commands with the following behavior:

  • Inserting a document with Timestamp(0,0) associated to an encrypted field. The (0,0) value indicates that the mongod should generate the Timestamp. When the mongod cannot generated encrypted fields, the resulting timestamp is unencrypted.
  • Inserting a document without an encrypted _id if the configured automatic schema specifies an encrypted _id field. When the mongod automatically generates an unencrypted ObjectId, omitting _id from documents results in documents that do not conform to the automatic encryption rules.
  • Inserting a document with an array associated to a deterministically encrypted field. Automatic does not support deterministically encrypting arrays.

Supported Update Operators

Drivers configured for automatic allow the following update operators when issued against deterministically encrypted fields:

When you use the $rename operator on encrypted fields, the automatic JSON schema must specify the same encryption metadata for the source and target field names.

Updates specifying any other update operator against an encrypted field return an error.

Update operations with the following behavior return an error even if using a supported operator:

For update operations specifying a query filter on deterministically encrypted fields, the query filter must use only supported operators on those fields.

Supported Aggregation Stages

Drivers configured for automatic support the following aggregation pipeline stages:

Pipelines operating on collections configured for automatic encryption that specify any other stage return an error.

For each supported pipeline stage, MongoDB tracks fields that must be encrypted as they pass through the supported pipelines and marks them for encryption.

Each supported stage must specify only supported query operators and aggregation expressions.

$group Behavior

$group has the following behaviors specific to :

$group supports:

  • Grouping on deterministically encrypted fields.
  • Using $addToSet and $push accumulators on encrypted fields.

$group does not support:

  • Matching on the array returned by $addToSet and $push accumulators.
  • Arithmetic accumulators on encrypted fields.

$lookup and $graphLookup Behavior

Automatic supports the $lookup and $graphLookup only if the from collection matches the collection on which the aggregation runs against (specifically, self-lookup operations).

$lookup and $graphLookup stages that reference a different from collection return an error.

Supported Aggregation Expressions

Drivers configured for automatic allow aggregation stages using the following expressions against deterministically encrypted fields:

All other aggregation expressions return an error if issued against encrypted fields.

Aggregation stages with the following behavior return an error even if using a supported aggregation expression:

Expressions Rejected Behavior Example

$cond

$switch

 The expression specifies a field whose encryption properties cannot be known until runtime and a subsequent aggregation stage includes an expression referencing that field. 
$addFields : {
  "valueWithUnknownEncryption" : {
    $cond : {
      if : { "$encryptedField" : "value" },
      then : "$encryptedField",
      else: "unencryptedValue"
    }
  }
},
{
  $match : {
    "valueWithUnknownEncryption" : "someNewValue"
  }
}

$eq

$ne

 The expression creates a new field that references an encrypted field and operates on that new field in the same expression. 
{
  $eq : [
    {"newField" : "$encryptedField"},
    {"newField" : "value"
  ]
}

$eq

$ne

 The expression references the prefix of an encrypted field within the comparison expression. 
{ $eq : [ "$prefixOfEncryptedField" , "value"] }

$eq

$ne

 The result of the expression is compared to an encrypted field. 
{
  $eq : [
      "$encryptedField" ,
      { $ne : [ "field", "value" ] }
  ]
}
$let The expression binds a variable to an encrypted field or attempts to rebind $$CURRENT. 
{
  $let: {
    "vars" : {
      "newVariable" : "$encryptedField"
    }
  }
}
$in

The first argument to the expression is an encrypted field, and

  • The second argument to the expression is not an array literal

    -OR-

  • The second argument to the expression is an encrypted field.

 
{
  $in : [
    "$encryptedField" ,
    "$otherEncryptedField"
  ]
}

Unsupported Field Types

Drivers configured for automatic () do not support any read or write operation that requires encrypting the following value types:

Encryption does not adequately hide the type information for these values.

Automatic also does not support read or write operations on a deterministically encrypted field where the operation compares the encrypted field to the following value types:

  • array
  • bool
  • decimal128
  • double
  • object
  • javascriptWithScope (Deprecated)

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.