[![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/github/mongodb-developer/Security-Showcase/blob/main/notebooks/queryable_encryption_quickstart.ipynb)


# MongoDB Queryable Encryption with Atlas - Developer Education

This notebook is based on the available  [Queryable Encryption quick start](https://www.mongodb.com/docs/manual/core/queryable-encryption/quick-start/).

# Installation of prerequisites

In [11]:
!pip install pymongo[encryption]
!pip install requests

zsh:1: no matches found: pymongo[encryption]


In [23]:

import os
from pymongo import MongoClient
from pymongo.encryption import Algorithm, ClientEncryption, QueryType
from pymongo.encryption_options import AutoEncryptionOpts
from bson.codec_options import CodecOptions
from bson import json_util
import json
import requests
import platform
import tempfile

Function to download and set up crypt_shared library

In [24]:
def setup_crypt_shared():
    system = platform.system().lower()
    if system == "linux":
        url = "https://downloads.mongodb.com/linux/mongo_crypt_shared_v1-linux-x86_64-enterprise-ubuntu2004-6.0.6.tgz"
        filename = "mongo_crypt_shared_v1-linux-x86_64-enterprise-ubuntu2004-6.0.6.tgz"
    elif system == "darwin":
        url = "https://downloads.mongodb.com/osx/mongo_crypt_shared_v1-macos-x86_64-enterprise-6.0.6.tgz"
        filename = "mongo_crypt_shared_v1-macos-x86_64-enterprise-6.0.6.tgz"
    elif system == "windows":
        url = "https://downloads.mongodb.com/windows/mongo_crypt_shared_v1-windows-x86_64-enterprise-6.0.6.zip"
        filename = "mongo_crypt_shared_v1-windows-x86_64-enterprise-6.0.6.zip"
    else:
        raise OSError("Unsupported operating system")

    response = requests.get(url)
    response.raise_for_status()

    with tempfile.NamedTemporaryFile(delete=False, suffix=".tgz" if system != "windows" else ".zip") as tmp_file:
        tmp_file.write(response.content)
        tmp_file_path = tmp_file.name

    extract_dir = tempfile.mkdtemp()

    if system != "windows":
        os.system(f"tar -xzf {tmp_file_path} -C {extract_dir}")
        lib_path = os.path.join(extract_dir, "lib", "mongo_crypt_v1.so")
    else:
        os.system(f"powershell Expand-Archive -Path {tmp_file_path} -DestinationPath {extract_dir}")
        lib_path = os.path.join(extract_dir, "bin", "mongo_crypt_v1.dll")

    return lib_path

# Set up crypt_shared library

In [25]:
crypt_shared_lib_path = setup_crypt_shared()
print(f"Crypt shared library path: {crypt_shared_lib_path}")


Crypt shared library path: /var/folders/hq/hg3_jc614458jwc75zpq40_h0000gp/T/tmpkv_q594k/lib/mongo_crypt_v1.so


 1. Connect to your Atlas cluster

In [26]:
import getpass
MONGODB_ATLAS_URI = "mongodb://localhost:27017"

key_vault_client = MongoClient(MONGODB_ATLAS_URI, appname="deverel.content.python")

2. Set up encryption key and providers

In [27]:
local_master_key = os.urandom(96)
kms_providers = {"local": {"key": local_master_key}}
key_vault_namespace = "encryption.__keyVault"


In [28]:
kms_provider_name="local"
key_vault_database_name = "encryption"
key_vault_collection_name = "__keyVault"
key_vault_namespace = f"{key_vault_database_name}.{key_vault_collection_name}"
encrypted_database_name = "medicalRecords"
encrypted_collection_name = "patients"

3. Create a ClientEncryption object

In [14]:
!python3 -m pip install 'pymongo[encryption]'

Collecting pymongo-auth-aws<2.0.0,>=1.1.0 (from pymongo[encryption])
  Downloading pymongo_auth_aws-1.3.0-py3-none-any.whl.metadata (17 kB)
Collecting pymongocrypt<2.0.0,>=1.6.0 (from pymongo[encryption])
  Downloading pymongocrypt-1.11.0-py3-none-macosx_11_0_universal2.whl.metadata (23 kB)
Collecting cffi<2,>=1.12.0 (from pymongocrypt<2.0.0,>=1.6.0->pymongo[encryption])
  Downloading cffi-1.17.1-cp312-cp312-macosx_11_0_arm64.whl.metadata (1.5 kB)
Collecting cryptography>=40 (from pymongocrypt<2.0.0,>=1.6.0->pymongo[encryption])
  Downloading cryptography-43.0.1-cp39-abi3-macosx_10_9_universal2.whl.metadata (5.4 kB)
Collecting pycparser (from cffi<2,>=1.12.0->pymongocrypt<2.0.0,>=1.6.0->pymongo[encryption])
  Downloading pycparser-2.22-py3-none-any.whl.metadata (943 bytes)
Downloading pymongo_auth_aws-1.3.0-py3-none-any.whl (15 kB)
Downloading pymongocrypt-1.11.0-py3-none-macosx_11_0_universal2.whl (4.7 MB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m4.7/4.7 MB[0m [

In [29]:
auto_encryption_options = AutoEncryptionOpts(
    kms_providers,
    key_vault_namespace,
    crypt_shared_lib_path=crypt_shared_lib_path
)

ConfigurationError: client side encryption requires the pymongocrypt library: install a compatible version with: python -m pip install 'pymongo[encryption]'

 4. Set up the key vault

In [30]:
encrypted_client = MongoClient(
    MONGODB_ATLAS_URI, auto_encryption_opts=auto_encryption_options)


NameError: name 'auto_encryption_options' is not defined

6. Define the encrypted fields map

In [54]:
encrypted_fields_map = {
    "fields": [
        {
            "path": "patientRecord.ssn",
            "bsonType": "string",
            "queries": [{"queryType": "equality"}] # potentially 'range'
        },
        {
            "path": "patientRecord.billing",
            "bsonType": "object",
        }
    ]
}

7. Create an encrypted client

In [52]:
client_encryption = ClientEncryption(
    kms_providers=kms_providers,
    key_vault_namespace=key_vault_namespace,
    key_vault_client=encrypted_client,
    codec_options=CodecOptions()
)




 8. Set up and use the encrypted collection

In [55]:
client_encryption.create_encrypted_collection(
    encrypted_client[encrypted_database_name],
    encrypted_collection_name,
    encrypted_fields_map,
    kms_provider_name,
    {},
)

(Collection(Database(MongoClient(host=['serverless1-lb.uvwhr.mongodb.net:27017'], document_class=dict, tz_aware=False, connect=True, authsource='admin', loadbalanced=True, tls=True, auto_encryption_opts=<pymongo.encryption_options.AutoEncryptionOpts object at 0x7f57846ba980>), 'medicalRecords'), 'patients'),
 {'fields': [{'path': 'patientRecord.ssn',
    'bsonType': 'string',
    'queries': [{'queryType': 'equality'}],
    'keyId': Binary(b'L\x04.\x94\x91\xaaL\x10\x8fb\xe1\x91+\xaeg\x8b', 4)},
   {'path': 'patientRecord.billing',
    'bsonType': 'object',
    'keyId': Binary(b'YV\x0cP\x1f\xfeF \x96".V:\xec\x82\xf5', 4)}]})

9. Insert an encrypted document

In [56]:
patient_document = {
    "patientName": "Jon Doe",
    "patientId": 12345678,
    "patientRecord": {
        "ssn": "987-65-4320",
        "billing": {
            "type": "Visa",
            "number": "4111111111111111",
        },
    },
}
encrypted_collection = encrypted_client[encrypted_database_name][encrypted_collection_name]
result = encrypted_collection.insert_one(patient_document)
print(f"Inserted document ID: {result.inserted_id}")

Inserted document ID: 66aa6a8fc652e5247e1cbc7f


10. Query the encrypted collection

In [57]:
find_result = encrypted_collection.find_one({
    "patientRecord.ssn": "987-65-4320"
})
print(find_result)


{'_id': ObjectId('66aa6a8fc652e5247e1cbc7f'), 'patientName': 'Jon Doe', 'patientId': 12345678, 'patientRecord': {'ssn': '987-65-4320', 'billing': {'type': 'Visa', 'number': '4111111111111111'}}, '__safeContent__': [b'\xd7\xb5&\xd7I\x9eF;g\xb8\x9dEmGkbd}\x8c\xf7w\x87\xb1Y(\xa3b\xbf\x1e\x9fW\x01']}


In [58]:
print("\nQuerying without encryption:")

reg_mongoclient = MongoClient(MONGODB_ATLAS_URI)

find_result = reg_mongoclient[encrypted_database_name][encrypted_collection_name].find_one({
    "patientRecord.ssn": "987-65-4320"
})
print(find_result)

all_docs = reg_mongoclient[encrypted_database_name][encrypted_collection_name].find()
print("\nAll documents in the collection:")
for doc in all_docs:
    print(doc)


Querying without encryption:
None

All documents in the collection:
{'_id': ObjectId('66aa6a8fc652e5247e1cbc7f'), 'patientName': 'Jon Doe', 'patientId': 12345678, 'patientRecord': {'ssn': Binary(b'\x0eL\x04.\x94\x91\xaaL\x10\x8fb\xe1\x91+\xaeg\x8b\x02k13\xecIk\x90\x81\x15\xbf\x08i\xa4z\x10\xfc\x11O!\xc9p\xce\x12\x0c\xd3\xa9\xb1(\xed\x90\xb2\x91q\xc2\xab\xc6\xb4\x827C\xf0\xfd\xc4\xf9\x88W<11_\xa3\x98\x18\x1b\xba)\xb6\x12%)4\n|\x1f\xea\x00\x12(\x8f@\x1a0\xd1`\xfa\x82/A2\xdf9\xe3\xb3\x8d$\t\xba|\x9fkDfsf\xa5\x08\xbb\x1en%\x11\xb1\xd0s\x87k\x92+j\x85\xd6\xdf;K\x88\x1e\xf0S>Z_G@\x7fU+\xb6\x93\x18<#bmJ\xd6\xba\x86F}r\xacM%\xee\xd7\xb5&\xd7I\x9eF;g\xb8\x9dEmGkbd}\x8c\xf7w\x87\xb1Y(\xa3b\xbf\x1e\x9fW\x01\xba\x9c#G\x9f\xcd\x82\xf2\x8d\x1b`\xf6\x06\x17pi\x0b\xc8\xde\x90\xc3}Q\x19\xcd\r<=a\x15\x03\xce', 6), 'billing': Binary(b'\x10YV\x0cP\x1f\xfeF \x96".V:\xec\x82\xf5\x03<\x12\xcdT\x10\xad}\xbb\x8a\xd2\xa1d\xaf&\xee\xcf\x05\x91\xe8w\xa6\x1bs\xa7\xe1\xcf\x83(\xb0;(\xe5\xc5\x0ec\xc7y\xd02\x88+M\xb