In-Use Encryption

In-Use Encryption consists of two features:

Installation

Using In-Use Encryption in the C driver requires the dependency libmongocrypt. See the MongoDB Manual for libmongocrypt installation instructions.

Once libmongocrypt is installed, configure the C driver with -DENABLE_CLIENT_SIDE_ENCRYPTION=ON to require In-Use Encryption be enabled.

$ cd mongo-c-driver
$ mkdir cmake-build && cd cmake-build
$ cmake -DENABLE_AUTOMATIC_INIT_AND_CLEANUP=OFF -DENABLE_CLIENT_SIDE_ENCRYPTION=ON ..
$ cmake --build . --target install

API

mongoc_client_encryption_t is used for explicit encryption and key management. mongoc_client_enable_auto_encryption() and mongoc_client_pool_enable_auto_encryption() is used to enable automatic encryption.

The Queryable Encryption and CSFLE features share much of the same API with some exceptions.

Query Analysis

To support the automatic encryption feature, one of the following dependencies are required:

A mongoc_client_t or mongoc_client_pool_t configured with auto encryption will automatically try to load the crypt_shared library. If loading the crypt_shared library fails, the mongoc_client_t or mongoc_client_pool_t will try to spawn the mongocryptd process from the application’s PATH. To configure use of crypt_shared and mongocryptd see mongoc_auto_encryption_opts_set_extra().