MongoDB Announces Queryable Encryption with Equality Query Type Support

Cynthia Braund and Pramod Borkar
August 15, 2023 | Updated: August 17, 2023

The general availability of Queryable Encryption offers end-to-end encryption of sensitive data while preserving the ability to run equality queries on that encrypted data, helping customers meet the strictest data privacy requirements. This technology allows developers to query encrypted sensitive data in a simple, intuitive way. We are releasing the equality query type with the 7.0 release and in future releases will add support to the range, prefix, suffix, and substring query types.

First announced in preview in MongoDB 6.0 in 2022, Queryable Encryption introduced a fast state-of-the-art encrypted search algorithm using innovative cryptography engineering built and designed by MongoDB’s Cryptography Research Group with decades of experience designing state-of-the-art encrypted search algorithms.

Since its initial release last year, MongoDB has worked in partnership with its customers including leading Fortune 500 companies in the healthcare and insurance industries to fine-tune the release for general availability. This client-side encryption approach uses novel encrypted data structures that allow developers to run efficient, expressive queries on encrypted workloads for the first time. Data remains encrypted at all times on the database, including in memory and in the CPU; keys never leave the application and cannot be accessed by the database server.

Queryable Encryption: How it works

Gif displaying how queryable encryption works

Here is a sample flow of operations where an authorized user wants to query the encrypted data. In this example, let’s assume we are retrieving the records for an SSN number.

  1. Authorized users run an equality query to get specific SSN number records

  2. Recognizing the query is against an encrypted field, the driver requests the encryption keys from the customer-provisioned key provider, such as AWS Key Management Service (AWS KMS), Google Cloud KMS, Azure Key Vault, or any KMIP-enabled provider, such as HashiCorp Vault.

  3. The MongoDB driver gets the encryption keys from the key provider

  4. The driver submits the encrypted query along with a cryptographic token to the MongoDB server with the encrypted fields rendered as ciphertext.

  5. Queryable Encryption implements a fast encrypted search algorithm that allows the server to process queries on the encrypted data, without knowing the data. The data and the query itself remain encrypted at all times on the server.

  6. The MongoDB server returns the encrypted results of the query to the driver.

  7. The query results are decrypted with the keys held by the driver and returned to the client and shown as plaintext.

Here are some of the key benefits of Queryable Encryption technology:

  1. Run equality queries on encrypted data: With Queryable Encryption, customers can run equality queries on encrypted data using a fast state-of-the-art encrypted search algorithm. This algorithm allows the server to process and retrieve matching documents without the server understanding anything about the data or why the document should be returned.

  2. Groundbreaking query technology based on standards-based cryptography: Queryable Encryption introduces a fast state-of-the-art encrypted search algorithm that uses NIST standards-based primitives. These are well-tested and established public standards to ensure the confidentiality and integrity of data.

  3. Faster application development cycle: Queryable Encryption allows developers to easily encrypt sensitive data without changes to their application code with many language-specific drivers to choose from. There is no crypto experience required and it’s intuitive and easy for developers to set up and use. Developers don't have to figure out how to use the right algorithms, encryption options, etc to implement their right encryption solution. MongoDB has done all that complex work for them.

  4. Reduce operational risk as sensitive workloads are protected on the cloud: Eliminate common security concerns when moving database workloads to the cloud. Customers can keep their data on any of the cloud providers and be assured that their data is protected. Since encryption keys are only accessible within the customer environment, the data cannot be decrypted by a 3rd party or the cloud provider. The only place where the data is unencrypted is in the application.

  5. Strong technical controls for critical data privacy use cases: Can help customers meet strict data privacy requirements such as HIPAA, GDPR, CCPA, PCI, and more. Queryable Encryption uses strong data protection techniques and end-to-end encryption.

Resources

For more information on Queryable Encryption, refer to the following resources:

← Previous

4 Big Reasons to Upgrade to MongoDB 7.0

This post is also available in: Deutsch , Français , Español , Português Lately, we've been hitting the road and making news at a series of events in major cities across the globe. One of the big highlights is the release of MongoDB 7.0 , which offers a comprehensive suite of features designed to streamline operations, improve performance, and enhance security. With this release, MongoDB reaffirms itself as a top choice for organizations looking to boost the productivity of their development teams as they build modern, distributed applications. Version 7.0 has all the features released in prior versions with additional features aimed at making it easier for developers to build software. #1 - Enhanced performance MongoDB 7.0 brings significant improvements to working with time series data, especially demanding, high-volume datasets of all shapes. These improvements result in improved storage optimization and compression, as well as improved query performance. Developers will experience even better handling of high cardinality data, improved scalability, and overall performance; enabling you to manage time-series data more efficiently and cost-effectively. Change streams will now support even wider use cases: handling changes in large documents, even with pre-images and post-images, without causing unexpected errors. #2 - Smoother migrations Updates to cluster-to-cluster sync (mongosync) will enable more efficient data migration in a variety of scenarios. Cluster-to-cluster sync now provides greater flexibility in syncing between clusters with unlike topologies, such as from replica sets to sharded clusters. Filtered sync allows for syncing specific data sets instead of the entire cluster. Atlas Live Migrate now supports migrations for clusters running MongoDB 6.0.4+ delivering migrations that are faster and more resilient in cases of interruption during the migration process. #3 - Streamlined developer experience With new enhancements to the aggregation pipeline — including compound wildcard indexes , approximate percentiles, and bitwise operators — developers can enjoy greater flexibility and performance in indexing and querying data. With MongoDB 7.0, developers can also implement user role variables within aggregation pipelines enabling a single view to display different data based on the logged-in users’ permissions. Support for fine-grained updates and deletes in time-series collections and new metrics to help select a shard key to help reduce developer effort and streamline the development process. #4 - Stronger security MongoDB 7.0 strengthens security capabilities with Queryable Encryption to help customers encrypt sensitive data and run equality queries on fully randomized encrypted data. The security enhancements ensure that developers can build and deploy applications with confidence, knowing that their data is protected and compliant with the latest security standards and protocols. Why wait? With a host of new features and enhancements designed to make your team more productive, MongoDB 7.0 is the perfect choice for organizations looking to take their development to the next level. From enhanced performance to stronger security features, MongoDB 7.0 makes it easier to build the next big thing. Register for Atlas now and start building today . If you'd like guidance on upgrading to 7.0, our professional services team offers upgrade support to help ensure a smooth transition. To learn more, see MongoDB Consulting . Check out the full session on What's New in MongoDB 7.0 on our YouTube channel!

August 15, 2023
Next →

Building AI With MongoDB: Integrating Vector Search And Cohere to Build Frontier Enterprise Apps

Cohere is the leading enterprise AI platform, building large language models (LLMs) which help businesses unlock the potential of their data. Operating at the frontier of AI, Cohere’s models provide a more intuitive way for users to retrieve, summarize, and generate complex information. Cohere offers both text generation and embedding models to its customers. Enterprises running mission-critical AI workloads select Cohere because its models offer the best performance-cost tradeoff and can be deployed in production at scale. Cohere’s platform is cloud-agnostic. Their models are accessible through their own API as well as popular cloud managed services, and can be deployed on a virtual private cloud (VPC) or even on-prem to meet companies where their data is, offering the highest levels of flexibility and control. Cohere’s leading Embed 3 and Rerank 3 models can be used with MongoDB Atlas Vector Search to convert MongoDB data to vectors and build a state-of-the-art semantic search system. Search results also can be passed to Cohere’s Command R family of models for retrieval augmented generation (RAG) with citations. Check out our AI resource page to learn more about building AI-powered apps with MongoDB. A new approach to vector embeddings It is in the realm of embedding where Cohere has made a host of recent advances. Described as “AI for language understanding,” Embed is Cohere’s leading text representation language model. Cohere offers both English and multilingual embedding models, and gives users the ability to specify the type of data they are computing an embedding for (e.g., search document, search query). The result is embeddings that improve the accuracy of search results for traditional enterprise search or retrieval-augmented generation. One challenge developers faced using Embed was that documents had to be passed one by one to the model endpoint, limiting throughput when dealing with larger data sets. To address that challenge and improve developer experience, Cohere has recently announced its new Embed Jobs endpoint . Now entire data sets can be passed in one operation to the model, and embedded outputs can be more easily ingested back into your storage systems. Additionally, with only a few lines of code, Rerank 3 can be added at the final stage of search systems to improve accuracy. It also works across 100+ languages and offers uniquely high accuracy on complex data such as JSON, code, and tabular structure. This is particularly useful for developers who rely on legacy dense retrieval systems. Demonstrating how developers can exploit this new endpoint, we have published the How to use Cohere embeddings and rerank modules with MongoDB Atlas tutorial . Readers will learn how to store, index, and search the embeddings from Cohere. They will also learn how to use the Cohere Rerank model to provide a powerful semantic boost to the quality of keyword and vector search results. Figure 1: Illustrating the embedding generation and search workflow shown in the tutorial Why MongoDB Atlas and Cohere? MongoDB Atlas provides a proven OLTP database handling high read and write throughput backed by transactional guarantees. Pairing these capabilities with Cohere’s batch embeddings is massively valuable to developers building sophisticated gen AI apps. Developers can be confident that Atlas Vector Search will handle high scale vector ingestion, making embeddings immediately available for accurate and reliable semantic search and RAG. Increasing the speed of experimentation, developers and data scientists can configure separate vector search indexes side by side to compare the performance of different parameters used in the creation of vector embeddings. In addition to batch embeddings, Atlas Triggers can also be used to embed new or updated source content in real time, as illustrated in the Cohere workflow shown in Figure 2. Figure 2: MongoDB Atlas Vector Search supports Cohere’s batch and real time workflows. (Image courtesy of Cohere) Supporting both batch and real-time embeddings from Cohere makes MongoDB Atlas well suited to highly dynamic gen AI-powered apps that need to be grounded in live, operational data. Developers can use MongoDB’s expressive query API to pre-filter query predicates against metadata, making it much faster to access and retrieve the more relevant vector embeddings. The unification and synchronization of source application data, metadata, and vector embeddings in a single platform, accessed by a single API, makes building gen AI apps faster, with lower cost and complexity. Those apps can be layered on top of the secure, resilient, and mature MongoDB Atlas developer data platform that is used today by over 45,000 customers spanning startups to enterprises and governments handling mission-critical workloads. What's next? To start your journey into gen AI and Atlas Vector Search, review our 10-minute Learning Byte . In the video, you’ll learn about use cases, benefits, and how to get started using Atlas Vector Search.

April 25, 2024