-xzln14e628.png)
MongoDB Queryable Encryption Expands Search Power
Today, MongoDB is expanding the power of Queryable Encryption by introducing support for prefix, suffix, and substring queries. Now in public preview, these capabilities extend the technology beyond equality and range queries, unlocking broader use cases for secure, expressive search on encrypted data. Developed by the MongoDB Cryptography Research Group , Queryable Encryption is a groundbreaking, industry-first in use encryption technology. It enables customers to encrypt sensitive application data, store it in encrypted form in the MongoDB database, and perform expressive queries directly on that encrypted data. This release provides organizations with the tools to perform flexible text searches on encrypted data, such as matching partial names, keywords, or identifiers, without ever exp
Today, MongoDB is expanding the power of Queryable Encryption by introducing support for prefix, suffix, and substring queries. Now in public preview, these capabilities extend the technology beyond equality and range queries, unlocking broader use cases for secure, expressive search on encrypted data.
Developed by the MongoDB Cryptography Research Group, Queryable Encryption is a groundbreaking, industry-first in use encryption technology. It enables customers to encrypt sensitive application data, store it in encrypted form in the MongoDB database, and perform expressive queries directly on that encrypted data.
This release provides organizations with the tools to perform flexible text searches on encrypted data, such as matching partial names, keywords, or identifiers, without ever exposing the underlying information. This helps strengthen data protection, simplify compliance, and remove the need for complex workarounds such as external search indexes, all without any changes to the application code.
With support for prefix, suffix, and substring queries, Queryable Encryption enables organizations to protect sensitive data throughout its lifecycle: at rest, in transit, and in use. As a result, teams can build secure, privacy-preserving applications without compromising functionality or performance. Queryable Encryption is available at no additional cost in MongoDB Atlas, Enterprise Advanced, and Community Edition.
Encryption: Securing data across its lifecycle
Many organizations must store and search sensitive data, such as personally identifiable information (PII) like names, Social Security numbers, or medical details, to power their applications. Implementing this securely presents real challenges. Encrypting data at rest and in transit is widely adopted and table stakes. However, encrypting data while it is actively being used, known as encryption in use, has historically been much harder to realize.
The dilemma is that traditional encryption makes data unreadable, preventing databases from running queries without first decrypting it. For instance, a healthcare provider may need to find all patients with diagnoses that include the word “diabetes.” However, without decrypting the medical records, the database cannot search for that term.
To work around this, many organizations either leave sensitive fields unencrypted or use complex and less secure workarounds, such as building separate search indexes. Both approaches add operational overhead and increase the risk of unauthorized access. They also make it harder to comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), or General Data Protection Regulation (GDPR), where violations can carry significant fines.
To fully protect sensitive data and meet compliance requirements, organizations need the ability to encrypt data in use, in transit, and at rest without compromising operational efficiency.
Building secure applications with fewer tradeoffs
MongoDB Queryable Encryption solves this quandary. It protects sensitive data while eliminating the tradeoff between security and development velocity. Organizations can encrypt sensitive data, such as personally identifiable information (PII) or protected health information (PHI), while still running queries directly on that data without exposing it to the database server.
With support for prefix, suffix, and substring queries (in public preview), Queryable Encryption enables MongoDB applications to encrypt sensitive fields such as names, email addresses, notes, and ID numbers while still performing native partial-match searches on encrypted data. This eliminates the impasse between protecting sensitive information and enabling essential application functionality.
For business leaders, Queryable Encryption strengthens data protection, supports compliance requirements, and reduces the risk of data exposure. This helps safeguard reputation, avoid costly fines, and eliminate the need for complex third-party solutions. For developers, advanced encrypted search is built directly into MongoDB’s query language. This eliminates the need for code changes, external indexes, or client-side workarounds while simplifying architectures and reducing overhead.
Some examples of what organizations can now achieve:
- PII Search for compliance and usability: Regulations such as GDPR and HIPAA mandate strict privacy of personal information. With prefix queries, teams can retrieve users by last name or email prefix while ensuring the underlying data remains encrypted. This makes compliance easier without reducing search functionality.
- Keyword filtering in support workflows: Customer service notes often contain sensitive details in free-text fields. With substring query support, teams can search encrypted notes for specific keywords, e.g. “refund,” “escalation,” or “urgent”. This is possible without exposing the contents of those notes.
- Secure ID validation: Identity workflows often rely on partial identifiers such as the last digits of a Social Security Number in the U.S., a National Insurance Number in the UK, or an Aadhaar Number in India. Suffix queries enable these lookups on encrypted fields without revealing full values. This reduces the risk of data leaks in regulated environments.
- Case management for public agencies: Case numbers and reference IDs in public sector applications often follow structured formats. Now agencies can securely retrieve records using a prefix query based on region- or office-based prefixes without exposing sensitive case metadata, e.g. “NYC-” or “EUR-”.
Note: This functionality is in public preview. Therefore, MongoDB recommends that these new Queryable Encryption features not be used for production workloads until they are generally available in 2026. MongoDB wants to build and improve Queryable Encryption with customer needs and use cases in mind. As General Availability approaches, customers are encouraged to contact their account team or share feedback through the MongoDB Feedback Engine.
Robust data protection at every stage
MongoDB offers unmatched protection for sensitive data throughout its entire lifecycle with Queryable Encryption. This includes data in transit, at rest, or in use. With the addition of prefix, suffix, and substring query support, Queryable Encryption meets even more of the demands of modern applications, unlocking new use cases.
megaphone
Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
releaseavailableproduct
Orders of magnitude: use semitones, not decibels
I'm going to teach you a secret. It's a secret known to few, a secret way of using parts of your brain not meant for mathematics ... for mathematics. It's part of how I (sort of) do logarithms in my head. This is a nearly purposeless skill. What's the growth rate? What's the doubling time? How many orders of magnitude bigger is it? How many years at this rate until it's quintupled? All questions of ratios and scale. Scale... hmm. 'Wait', you're thinking, 'let me check the date...'. Indeed. But please, stay with me for the logarithms. Musical intervals as ratios, and God's joke If you're a music nerd like me, you'll know that an octave (abbreviated 8ve), the fundamental musical interval, represents a doubling of vibration frequency. So if A440 is at 440Hz, then 220Hz and 880Hz are also 'A'.
Announcing: Mechanize War
We are coming out of stealth with guns blazing! There is trillions of dollars to be made from automating warfare, and we think starting this company is not just justified but obligatory on utilitarian grounds. Lethal autonomous weapons are people too! We really want to thank LessWrong for teaching us the importance of alignment (of weapons targeting). We couldn't have done this without you. Given we were in stealth, you would have missed our blog from the past year. Here are some bang er highlights: Announcing Mechanize War Today we're announcing Mechanize War, a startup focused on developing virtual combat environments, benchmarks, and training data that will enable the full automation of armed conflict across the global economy of violence. We will achieve this by creating simulated envi
Maintaining Open Source in the AI Era
<p>I've been maintaining a handful of open source packages lately: <a href="https://pypi.org/project/mailview/" rel="noopener noreferrer">mailview</a>, <a href="https://pypi.org/project/mailjunky/" rel="noopener noreferrer">mailjunky</a> (in both Python and Ruby), and recently dusted off an old Ruby gem called <a href="https://rubygems.org/gems/tvdb_api/" rel="noopener noreferrer">tvdb_api</a>. The experience has been illuminating - not just about package management, but about how AI is changing open source development in ways I'm still processing.</p> <h2> The Packages </h2> <p><strong>mailview</strong> started because I missed <a href="https://github.com/ryanb/letter_opener" rel="noopener noreferrer">letter_opener</a> from the Ruby world. When you're developing a web application, you don
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Products
I Built 5 SaaS Products in 7 Days Using AI
<p>From zero to five live SaaS products in one week. Here is what I learned, what broke, and what I would do differently.</p> <h2> The Challenge </h2> <p>I wanted to test: can one developer, armed with Claude and Next.js, ship real products in a week?</p> <p>The answer: yes, but with caveats.</p> <h2> The 5 Products </h2> <ol> <li> <strong>AccessiScan</strong> (fixmyweb.dev) - WCAG accessibility scanner, 201 checks</li> <li> <strong>CaptureAPI</strong> (captureapi.dev) - Screenshot + PDF generation API</li> <li> <strong>CompliPilot</strong> (complipilot.dev) - EU AI Act compliance scanner</li> <li> <strong>ChurnGuard</strong> (paymentrescue.dev) - Failed payment recovery</li> <li> <strong>DocuMint</strong> (parseflow.dev) - PDF to JSON parsing API</li> </ol> <p>All built with Next.js, Type
Stop Accepting BGP Routes on Trust Alone: Deploy RPKI ROV on IOS-XE and IOS XR Today
<p>If you run BGP in production and you're not validating route origins with RPKI, you're accepting every prefix announcement on trust alone. That's the equivalent of letting anyone walk into your data center and plug into a switch because they said they work there.</p> <p>BGP RPKI Route Origin Validation (ROV) is the mechanism that changes this. With 500K+ ROAs published globally, mature validator software, and RFC 9774 formally deprecating AS_SET, there's no technical barrier left. Here's how to deploy it on Cisco IOS-XE and IOS XR.</p> <h2> How RPKI ROV Actually Works </h2> <p>RPKI (Resource Public Key Infrastructure) cryptographically binds IP prefixes to the autonomous systems authorized to originate them. Three components make it work:</p> <p><strong>Route Origin Authorizations (ROAs
Claude Code's Source Didn't Leak. It Was Already Public for Years.
<p>I build a JavaScript obfuscation tool (<a href="https://afterpack.dev" rel="noopener noreferrer">AfterPack</a>), so when the Claude Code "leak" hit <a href="https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know" rel="noopener noreferrer">VentureBeat</a>, <a href="https://fortune.com/2026/03/31/anthropic-source-code-claude-code-data-leak-second-security-lapse-days-after-accidentally-revealing-mythos/" rel="noopener noreferrer">Fortune</a>, and <a href="https://www.theregister.com/2026/03/31/anthropic_claude_code_source_code/" rel="noopener noreferrer">The Register</a> this week, I did what felt obvious — I analyzed the supposedly leaked code to see what was actually protected.</p> <p>I <a href="https://afterpack.dev/blog/claude-code-source-
DeepSource vs Coverity: Static Analysis Compared
<h2> Quick Verdict </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb5unb078gtfj88nul328.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb5unb078gtfj88nul328.png" alt="DeepSource screenshot" width="800" height="500"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiz6sa3w0uupusjbwaufr.png" class="article-body-image-wrapper"><img src="https://med
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!