HomeKnowledge baseMongo DB
Explore Knowledge Base

Mongo DB

30. 01. 2025

The currently used version of the database is 8:
MongoDB v8

Encryption In-Transit

Algorithm: TLS (Transport Layer Security)

  • Supported Versions: TLS 1.2, TLS 1.3

  • Key Lengths:

    • RSA keys: 2048 or 4096 bits

    • ECDSA keys: 256 or 384 bits

    • AES session keys: 128 or 256 bits

Scenarios:

  • Secure communication between MongoDB clients and servers.

  • Encrypted data replication between MongoDB instances in a sharded or replica set cluster.

  • Protecting credentials and sensitive data during transmission over public or internal networks.

Encryption At-Rest

Algorithm: AES (Advanced Encryption Standard)

  • Mode: AES-256 in CBC (Cipher Block Chaining) or GCM (Galois/Counter Mode)

  • Key Length: 256 bits

Scenarios:

  • Securing sensitive data stored on disk to prevent unauthorized access if the disk is stolen or compromised.

  • Required in compliance-driven environments, such as those adhering to GDPR, HIPAA, or PCI DSS regulations.

Encryption In-Use (Client-Side Field-Level Encryption)

Algorithm: AES-256

  • Key Length: 256 bits

  • Additional Algorithms:

    • RSA: 2048 or 4096 bits (for envelope encryption in key management)

    • SHA-256 (used as part of HMAC for data integrity)

Scenarios:

  • Protecting individual fields (e.g., credit card numbers, social security numbers) while keeping non-sensitive data unencrypted.

  • Enabling zero-trust architectures by ensuring sensitive data is encrypted on the client side before being transmitted to the server.

  • Storing sensitive information in databases while ensuring that MongoDB server administrators or attackers cannot decrypt the data.

Queryable Encryption

Algorithms Used:

  • AES-256: For encrypting fields and search tokens.

  • SHA-256: For generating hash-based tokens.

  • HMAC: Typically 256 bits for cryptographic integrity.

Scenarios:

  • Performing expressive queries (e.g., range queries, equality matches) on encrypted fields without decrypting the data server-side.

  • Searching sensitive data (e.g., employee salaries, medical records) securely without exposing it to database administrators or attackers in plaintext.

Key Management Algorithms

Key Derivation:

  • PBKDF2 (Password-Based Key Derivation Function 2):

    • Key Length: Typically 256 bits

  • KMS (Key Management Service):

    • Backed by cloud providers (AWS, Azure, GCP) using AES-256 keys for master key management.

Scenarios:

  • Centralized control of encryption keys using cloud-based KMS providers to meet compliance requirements.

  • Rotating encryption keys periodically without disrupting access to encrypted data.

  • Integrating with enterprise-grade key management systems to manage multiple application keys securely.