Objective: To implement Client-Side Field-Level Encryption (CSFLE) in a NoSQL environment to ensure that sensitive user data remains encrypted even if the database is compromised.

1. The Vulnerability: Plaintext Data Exposure in NoSQL Databases

Storing personally identifiable information (PII) or financial data in plaintext within a NoSQL database (like MongoDB) represents a critical security risk. If an attacker gains unauthorized access to the database layer, they can exfiltrate the entire data store, leading to a massive loss of Data Confidentiality. Traditional disk-level encryption is insufficient to protect data from a compromised database process.

2. Technical Execution: Client-Side Field-Level Encryption

I implemented a “Never-Plaintext” architecture using MongoDB’s Field-Level Encryption (FLE). By encrypting specific sensitive fields (e.g., credit_card, social_security_number) at the application layer before they reach the database, I ensured that the data remains unreadable to anyone without the original encryption keys, including database administrators.

ComponentValuePurpose
Encryption TypeAES-256-GCM (Symmetric)Industry-standard algorithm for data protection.
Key StrategyMaster Key + Data KeysHierarchical key management for scalability.
Storage EngineMongoDBThe NoSQL backend protected by the encryption layer.
ProcessCSFLE (Client-Side)Encrypting data before it ever leaves the client app.

3. Execution Workflow

  1. Security Audit: Identified critical data fields within the MongoDB schema that required mandatory encryption according to compliance standards (e.g., PCI-DSS).
  2. Key Generation: Established a secure Key Vault to store “Data Encryption Keys” (DEK), managed by a central “Master Key.”
  3. Logic Implementation: Integrated the MongoDB driver with the encryption library, ensuring that the application automatically transparently encrypts and decrypts targeted fields.
  4. Validation: Confirmed that queries for sensitive data performed by unauthorized users or directly via the database console returned only ciphertext.

4. Key Configuration

// Example: Configuring MongoDB Field-Level Encryption Schema
const schemaMap = {
  "medical_db.patients": {
    "bsonType": "object",
    "properties": {
      "ssn": {
        "encrypt": {
          "keyId": [UUID],
          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
        }
      }
    }
  }
};

5. Evidence of Work

RESOURCES_NODE_01
Discovery
Caption: Discovery phase showing the initial vulnerability where sensitive fields were stored in plaintext.

RESOURCES_NODE_01
Results
Caption: Results/Impact phase showing the successful implementation of field-level encryption, with the database console displaying only encrypted values.

6. Professional Impact

This project highlights a “Zero-Trust” approach to database security. By ensuring that sensitive fields are never stored in plaintext, I protected the organization’s Data Confidentiality against both external hackers and internal threats. My implementation of Client-Side Field-Level Encryption ensures that the data remains secure throughout its entire lifecycle—during transit, in memory, and on disk.