• Security >
• Encryption >
• In-Use Encryption >
• Introduction >
• Reference >
• MongoClient Options for

MongoClient Options for

Overview

View information about the specific configuration options for MongoClient instances.

AutoEncryptionOpts

Pass an AutoEncryptionOpts object to your MongoClient instance to specify specific options.

The following table describes the structure of an AutoEncryptionOpts object:

Parameter	Type	Required	Description
keyVaultClient	MongoClient	No	A MongoClient instance configured to connect to the MongoDB instance hosting your . If you omit the keyVaultClient option, the MongoDB instance specified to your MongoClient instance containing the AutoEncryptionOpts configuration is used as the host of your . To learn more about s, see s.
keyVaultNamespace	String	Yes	The full namespace of the .
kmsProviders	Object	Yes	The (KMS) used by for managing your s (CMKs). To learn more about kmsProviders objects, see KMS Providers. To learn more about s, see Keys and Key Vaults.
encryptedFieldsMap	Object	No	An encryption schema. To learn how to construct an encryption schema, see Field Encryption and Queryability.
bypassQueryAnalysis	Boolean	No	Disables automatic analysis of outgoing commands. Set bypassQueryAnalysis to true to use explicit encryption on indexed fields without the crypt_shared library. Defaults to false if not specified.

Example

To view a code-snippet demonstrating how to use AutoEncryptionOpts to configure your MongoClient instance, select the tab corresponding to your driver:

• Mongo Shell
• Node.js

copy

var AutoEncryptionOpts =
{
   "keyVaultClient" : keyVaultClient,
   "keyVaultNamespace" : "<database>.<collection>",
   "kmsProviders" : { ... },
   "bypassQueryAnalysis": "<boolean value>", // optional - defaults to false
   "encryptedFieldsMap" : { ... }
}

cluster = Mongo(
  "mongodb://myhostexample.net:27017/?replicaSet=myReplicaSet",
  AutoEncryptionOpts
);

Tip

Environment Variables

If possible, consider defining the credentials provided in kmsProviders as environment variables, and then passing them to mongosh using the --eval option. This minimizes the chances of credentials leaking into logs.

copy

const secureClient = new MongoClient(connectionString, {
  useNewUrlParser: true,
  useUnifiedTopology: true,
  monitorCommands: true,
  autoEncryption: {
    keyVaultNamespace,
    kmsProviders,
    bypassQueryAnalysis, // optional - defaults to false
    encryptedFieldsMap: patientSchema,
    extraOptions: extraOptions,
  },
});

To learn about additional options for configuring , see <qe-reference-shared-library-configuration>.

←   Supported Operations for Overview  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.