MongoDB Field Level Encryption (FLE) Tutorial/Demo

Demo MongoDB Client-Side Field Level Encryption. Uses Golang + Ubuntu in a Docker container.

Run

Note: The Dockerfile contains all environment dependencies to run this demo.

1. Add values to required variables specified in env.list.example and rename the file to env.list

   • Need to have a MongoDB deployment running, if not, delopoy a free one in Atlas and grab the connection string
   • Need to have AWS KMS configured

2. Run the following:

docker run --rm  -it  -p 8888:8888 -p 27020:27020 --env-file env.list --hostname fle  nullstring/mongo-fle-demo

foobar document

{
    "_id": "string",
    "name":"string",
    "message": "string" 
}

Note: message is encrypted/decrypted if inserted/read via /foo else as-is.

Endpoints

• POST /foo -- Inserts a valid foobar document to the tutorial.foobar namespace and encrypts the message field.

• GET /foo/{id} -- Reads a foobar document with matching id and attempts to decrypt the message field.

• POST /bar -- Inserts a valid foobar document to the tutorial.foobar namespace. (sans encryption)

• GET /bar/{id} -- Reads a foobar document with matching id as-is. (sans decryption)

Test

Import Postman collection.

For debugging/ad-hoc testing:

git clone https://github.com/desteves/fle.git
cd fle
docker run --rm -it -v $PWD:/go/src/github.com/desteves/fle --entrypoint /bin/bash -p 8777:8888  -p 27020:27020 --env-file env.list --hostname fle-testing nullstring/mongo-fle-demo
go build -tags cse main.go
./main

References

• General mongoDB Docs on FLE
• mongoDB University Guide
• mongoDB Labs go example
• mongoDB FLE Use Case Guide
• mongoDB Using KMS
• mongoDB Driver FLE
• mongoDB libmongocrypt
• Go Driver Tests on FLE