MongoDB Client-Side Field Level Encryption (CSFLE) for Beginners
Add an extra layer of security to your application.
Data security is a top concern in current applications. To improve security, MongoDB provides a number of constructs.
In this blog, we will be discussing how we can encrypt the fields in the MongoDB documents prior to transmitting data over the wire to the server which makes it nearly impossible to obtain sensitive information from the database server. For more information head over to the MongoDB official document.
How MongoDB Client-Side Field Level Encryption Works
MongoDB Client-Side Field Level Encryption (CSFLE) uses an encryption strategy called envelope encryption in which keys used to encrypt/decrypt data (called data encryption keys) are encrypted with another key (called the master key).
In this example, we are using the Local Key Provider which is not suitable for production. Instead, you should configure a master key in a Key Management System (KMS) which stores and decrypts your data encryption keys remotely.
Prerequisite tasks
To set up and run this example, you must first complete these tasks:
- Install MongoDB Server 4.2 or higher Enterprise edition.
- Install the respective packages by entering the following at the command prompt
npm i mongodb-client-encryption uuid-base64 mongodbLet’s get started.
Create a Master Key
To generate a Master Key create a Node.js module with the file name create-master-key.js. Make sure you have installed the required clients and packages.
To run the example, enter the following at the command prompt which creates our master key.
node create-master-key.jsCreate a Data Encryption Key
Create a Node.js module with the file name create-data-key.js having the following content.
Enter the following at the command prompt which generates the encryption key.
node create-data-key.jsThe output from the code above should resemble the following
DataKeyId [UUID]: de4d735a-44789-48bc-bb93-3c84c3g90824
DataKeyId [base64]: fUV/k/85QiCeB3amaU/9kQ==Specify Encrypted Fields Using JSON Schema
MongoDB drivers use an extended version of the JSON Schema standard to configure automatic client-side encryption and decryption of specific fields of the documents in a collection.
Here is the complete runnable helper code. It takes the Key Id and returns the required schema.
Next, Create a Node.js module with the file name app.js which inserts the patient into collection.
To run the example, enter the following at the command prompt.
node app.jsThis operation creates a document similar to the following:
You can fetch the encrypted patient data by adding the following function to app.js
Cheers! You’ve made it this far.
With this knowledge of CSFLE, you should be able to better secure applications and understand how it works!
You can find the entire code here.
Useful Links
- https://docs.mongodb.com/drivers/security/client-side-field-level-encryption-guide/
- https://github.com/Automattic/mongoose/issues/8167
Conclusion
While this post attempts to cover one of the most important security aspects you can achieve to secure your MongoDB instances, there is much more to MongoDB security.
Like Enable access control, Configure role-based access control, Encrypt network traffic, Restrict network exposure etc.
Although this post has focused on database security, it’s also advisable that you protect the JavaScript source code of your web and mobile apps.
Thanks for reading!
More content at plainenglish.io
