Class: AutoEncrypter


An internal class to be used by the driver for auto encryption
NOTE: Not meant to be instantiated directly, this is for internal use only.

Create an AutoEncrypter

Note: Do not instantiate this class directly. Rather, supply the relevant options to a MongoClient

Note: Supplying options.schemaMap provides more security than relying on JSON Schemas obtained from the server.
It protects against a malicious server advertising a false JSON Schema, which could trick the client into sending unencrypted data that should be encrypted.
Schemas supplied in the schemaMap only apply to configuring automatic encryption for client side encryption.
Other validation rules in the JSON schema will not be enforced by the driver and will result in an error.

Name Type Description
client MongoClient

The client autoEncryption is enabled on

options AutoEncrypter~AutoEncryptionOptions optional

Optional settings


// Enabling autoEncryption via a MongoClient
const { MongoClient } = require('mongodb');
const client = new MongoClient(URL, {
autoEncryption: {
kmsProviders: {
aws: {
accessKeyId: AWS_ACCESS_KEY,
secretAccessKey: AWS_SECRET_KEY

await client.connect();
// From here on, the client will be encrypting / decrypting automatically



The level of severity of the log message

Value Level
0 Fatal Error
1 Error
2 Warning
3 Info
4 Trace

Type Definitions


Extra options related to the mongocryptd process

Name Type Argument Default Description
mongocryptdURI string <optional>

A local process the driver communicates with to determine how to encrypt values in a command. Defaults to "mongodb://%2Fvar%2Fmongocryptd.sock" if domain sockets are available or "mongodb://localhost:27020" otherwise

mongocryptdBypassSpawn boolean <optional>

If true, autoEncryption will not attempt to spawn a mongocryptd before connecting

mongocryptdSpawnPath string <optional>

The path to the mongocryptd executable on the system

mongocryptdSpawnArgs Array.<string> <optional>

Command line arguments to use when auto-spawning a mongocryptd


Configuration options for a automatic client encryption.

Name Type Argument Description
keyVaultClient MongoClient <optional>

A MongoClient used to fetch keys from a key vault

keyVaultNamespace string <optional>

The namespace where keys are stored in the key vault

kmsProviders KMSProviders <optional>

Configuration options that are used by specific KMS providers during key generation, encryption, and decryption.

schemaMap object <optional>

A map of namespaces to a local JSON schema for encryption

bypassAutoEncryption boolean <optional>

Allows the user to bypass auto encryption, maintaining implicit decryption

options.logger AutoEncrypter~logger <optional>

An optional hook to catch logging messages from the underlying encryption engine

extraOptions AutoEncrypter~AutoEncryptionExtraOptions <optional>

Extra options related to the mongocryptd process

A callback that is invoked with logging information from
the underlying C++ Bindings.

Name Type Description
level AutoEncrypter~logLevel

The level of logging.

message string

The message to log