Objective: To implement Client-Side Field-Level Encryption (CSFLE) in a NoSQL environment to ensure that sensitive user data remains encrypted even if the database is compromised.
1. The Vulnerability: Plaintext Data Exposure in NoSQL Databases
Storing personally identifiable information (PII) or financial data in plaintext within a NoSQL database (like MongoDB) represents a critical security risk. If an attacker gains unauthorized access to the database layer, they can exfiltrate the entire data store, leading to a massive loss of Data Confidentiality. Traditional disk-level encryption is insufficient to protect data from a compromised database process.
2. Technical Execution: Client-Side Field-Level Encryption
I implemented a “Never-Plaintext” architecture using MongoDB’s Field-Level Encryption (FLE). By encrypting specific sensitive fields (e.g., credit_card, social_security_number) at the application layer before they reach the database, I ensured that the data remains unreadable to anyone without the original encryption keys, including database administrators.
| Component | Value | Purpose |
|---|---|---|
| Encryption Type | AES-256-GCM (Symmetric) | Industry-standard algorithm for data protection. |
| Key Strategy | Master Key + Data Keys | Hierarchical key management for scalability. |
| Storage Engine | MongoDB | The NoSQL backend protected by the encryption layer. |
| Process | CSFLE (Client-Side) | Encrypting data before it ever leaves the client app. |
3. Execution Workflow
- Security Audit: Identified critical data fields within the MongoDB schema that required mandatory encryption according to compliance standards (e.g., PCI-DSS).
- Key Generation: Established a secure Key Vault to store “Data Encryption Keys” (DEK), managed by a central “Master Key.”
- Logic Implementation: Integrated the MongoDB driver with the encryption library, ensuring that the application automatically transparently encrypts and decrypts targeted fields.
- Validation: Confirmed that queries for sensitive data performed by unauthorized users or directly via the database console returned only ciphertext.
4. Key Configuration
// Example: Configuring MongoDB Field-Level Encryption Schema
const schemaMap = {
"medical_db.patients": {
"bsonType": "object",
"properties": {
"ssn": {
"encrypt": {
"keyId": [UUID],
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
}
}
}
}
};
5. Evidence of Work


6. Professional Impact
This project highlights a “Zero-Trust” approach to database security. By ensuring that sensitive fields are never stored in plaintext, I protected the organization’s Data Confidentiality against both external hackers and internal threats. My implementation of Client-Side Field-Level Encryption ensures that the data remains secure throughout its entire lifecycle—during transit, in memory, and on disk.