Member-only story
Field level encryption in CosmosDb document also knows as Always encryption
In this blog I will show you how to encrypt specific fields or properties of cosmosDb document with an example, this is also know as client side and server side document encryption with CosmosDb (DocumentDb).
Here are the things we will be covering:
01. Concepts 02. How to encrypt CosmosDb Document?
03. Define Keyvault Keys
04. Document Encryption
05. Verify Document in CosmosDB
06. Reading Document from Cosmos
07. Negative Test
08. Conclusion
09. References
01. Concepts
Like any other database In CosmosDb, By default data is encrypted at REST using SSL communication and HTTPS protocol which means that your document is safe when the data is travelling through the wire but you may have sensitive data which you may want to encrypt even at the storage location (in the database) so that even if someone has access to CosmosDb resource in azure and they are able to run/use the query explorer then the sensitive information with in the document (record) must not be visible in plain text.
Above 👆 above query displays the Salary and SSN data in plain text which is not something you may want 🤔.
We may want something like this:
Is there any way the individual fields can be protected in the CosmosDb?
The answer is, Yes it’s possible with CosmosDb and client side libraries.
02. How to encrypt CosmosDb Document?
The document in CosmosDb can be encrypted using Data encryption Keys (DEK), these keys must be created at the time of defining database inside CosmosDb and before you create any records in the database container.
