In-Use Encryption

In-Use Encryption consists of two features:

• Client-Side Field Level Encryption
• Queryable Encryption

Installation

Using In-Use Encryption in the C driver requires the dependency libmongocrypt. See the MongoDB Manual for libmongocrypt installation instructions.

Once libmongocrypt is installed, configure the C driver with -DENABLE_CLIENT_SIDE_ENCRYPTION=ON to require In-Use Encryption be enabled.

$ cd mongo-c-driver
$ mkdir cmake-build && cd cmake-build
$ cmake -DENABLE_AUTOMATIC_INIT_AND_CLEANUP=OFF -DENABLE_CLIENT_SIDE_ENCRYPTION=ON ..
$ cmake --build . --target install

API

mongoc_client_encryption_t is used for explicit encryption and key management. mongoc_client_enable_auto_encryption() and mongoc_client_pool_enable_auto_encryption() is used to enable automatic encryption.

The Queryable Encryption and CSFLE features share much of the same API with some exceptions.

• The supported algorithms documented in mongoc_client_encryption_encrypt_opts_set_algorithm() do not apply to both features.

• mongoc_auto_encryption_opts_set_encrypted_fields_map() only applies to Queryable Encryption.

• mongoc_auto_encryption_opts_set_schema_map() only applies to CSFLE.

Query Analysis

To support the automatic encryption feature, one of the following dependencies are required:

• The mongocryptd executable. See the MongoDB Manual documentation: Install and Configure mongocryptd

• The crypt_shared library. See the MongoDB Manual documentation: Automatic Encryption Shared Library

A mongoc_client_t or mongoc_client_pool_t configured with auto encryption will automatically try to load the crypt_shared library. If loading the crypt_shared library fails, the mongoc_client_t or mongoc_client_pool_t will try to spawn the mongocryptd process from the application’s PATH. To configure use of crypt_shared and mongocryptd see mongoc_auto_encryption_opts_set_extra().