Stay organized with collections
Save and categorize content based on your preferences.
Cloud Firestore with MongoDB compatibility automatically encrypts all data before it is written to disk.
There is no setup or configuration required and no need to modify the way you
access the service. The data is automatically and transparently decrypted when
read by an authorized user.
Key management
With server-side encryption, you can either let Google manage cryptographic
keys on your behalf or use customer-managed encryption keys (CMEK) to manage
the keys yourself.
By default, Google manages cryptographic keys on your behalf using the same
hardened key management systems that we use for our own encrypted data,
including strict key access controls and auditing. Each
Cloud Firestore with MongoDB compatibility object's data and metadata is
encrypted and each encryption key is itself encrypted
with a regularly rotated set of master keys.
Server-side encryption can be used in combination with client-side encryption.
In client-side encryption, you manage your own encryption keys and encrypt data
before writing it to Cloud Firestore with MongoDB compatibility. In this case, your data is
encrypted twice, once with your keys and once with the server-side keys.
To protect your data as it travels over the Internet during read and write
operations, we use Transport Layer Security (TLS). For more information about
the supported TLS versions, see
Encryption in transit in Google Cloud.
What's next
For more information about encryption at rest for Cloud Firestore with MongoDB compatibility and
other Google Cloud products, see
Encryption at Rest in Google Cloud.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["\u003cbr /\u003e\n\nCloud Firestore with MongoDB compatibility automatically encrypts all data before it is written to disk.\nThere is no setup or configuration required and no need to modify the way you\naccess the service. The data is automatically and transparently decrypted when\nread by an authorized user.\n\nKey management\n\nWith server-side encryption, you can either let Google manage cryptographic\nkeys on your behalf or use customer-managed encryption keys (CMEK) to manage\nthe keys yourself.\n\nBy default, Google manages cryptographic keys on your behalf using the same\nhardened key management systems that we use for our own encrypted data,\nincluding strict key access controls and auditing. Each\nCloud Firestore with MongoDB compatibility object's data and metadata is\n[encrypted](https://cloud.google.com/docs/security/encryption/default-encryption) and each encryption key is itself encrypted\nwith a regularly rotated set of master keys.\n\nFor information about managing keys yourself, see\n[CMEK for Cloud Firestore with MongoDB compatibility](/docs/firestore/enterprise/cmek).\n\nClient-side encryption\n\nServer-side encryption can be used in combination with client-side encryption.\nIn client-side encryption, you manage your own encryption keys and encrypt data\nbefore writing it to Cloud Firestore with MongoDB compatibility. In this case, your data is\nencrypted twice, once with your keys and once with the server-side keys.\n| **Warning:** Cloud Firestore with MongoDB compatibility does not know if your data has already been encrypted client-side, nor does Cloud Firestore with MongoDB compatibility have any knowledge of your client-side encryption keys. If you use client-side encryption, you must securely manage your encryption keys.\n\nTo protect your data as it travels over the Internet during read and write\noperations, we use Transport Layer Security (TLS). For more information about\nthe supported TLS versions, see\n[Encryption in transit in Google Cloud](https://cloud.google.com/docs/security/encryption-in-transit#user_to_google_front_end_encryption).\n\nWhat's next\n\nFor more information about encryption at rest for Cloud Firestore with MongoDB compatibility and\nother Google Cloud products, see\n[Encryption at Rest in Google Cloud](https://cloud.google.com/docs/security/encryption/default-encryption)."]]
