Encryption Key Management¶

On this page

In this guide, you can learn how to manage your encryption keys with a: () in your enabled

application.

Encryption Components¶

MongoDB uses the following components to perform :

Your is the key you use to encrypt the fields in your MongoDB documents. Your is stored in a document in a MongoDB collection called the .

Your is the key you use to encrypt your s. MongoDB automatically encrypts s using the specified

during creation.

The is the most sensitive key in . If your: is compromised, all of your encrypted data can be

decrypted.

Use a to store your .

To learn more about the relationship between keys, see Keys and Key Vaults.

Important

Use a Remote Key Management Service Provider

Ensure you store your () on a remote KMS.

To learn more about why you should use a remote , see Reasons to Use a Remote KMS.

To view a list of all supported providers, see the KMS Providers page.

supports the following () providers:

To learn more about these providers, including diagrams that show how your application uses them to perform , see KMS Providers.

Using a remote to manage your () has the following advantages over using your local filesystem to host the :

Additionally, for the following providers, your: remotely encrypts and decrypts your , ensuring

your is never exposed to your enabled application:

For tutorials detailing how to set up a enabled application with each of the supported providers, see the following pages:

← Keys and Key Vaults KMS Providers →