DOCSP-38147 "Choosing an In Use Encryption Approach" crypto team review backport v7.2 (#7427)

* Merge fixes

* Backing out restructure specific links

* Backing out restructure specific links

* Whitespace reverts

* Typo

* ref fix

Author: nvillahermosa-mdb

source/core/csfle.txt

@@ -29,6 +29,17 @@ You can set up {+csfle-abbrev+} using the following mechanisms:
   specify the logic for encryption with this library throughout your
   application.
 
+Considerations
+--------------
+
+When implementing an application that uses {+csfle+}, consider the points listed in :ref:`Security Considerations <csfle-security-considerations>`.
+
+For limitations, see :ref:`{+csfle-abbrev+} limitations
+<csfle-reference-encryption-limits>`.
+
+Compatibility
+~~~~~~~~~~~~~
+
 The following table shows which MongoDB server products support which {+csfle-abbrev+}
 mechanisms:
 

source/core/csfle/features.txt

@@ -56,6 +56,34 @@ read and write the encrypted data fields.
    To learn more about why you should use a remote KMS, see
    :ref:`csfle-reasons-to-use-remote-kms`.
 
+.. _csfle-security-considerations:
+
+Security Considerations
+-----------------------
+
+* {+csfle-abbrev+} doesn't provide any cryptographic integrity
+  guarantees against adversaries with access to your {+cmk-long+} or
+  {+dek-long+}s.
+  
+* {+csfle-abbrev+} doesn't provide any cryptographic integrity
+  guarantees against adversaries with arbitrary write access to collections
+  containing encrypted data.
+ 
+* MongoDB uses :ref:`schema validation <schema-validation-overview>` to enforce
+  encryption of specific fields in a collection. Without a client-side schema,
+  the client downloads the server-side schema for the collection to determine 
+  which fields to encrypt. To avoid this issue, use client-side schema validation.
+  
+  Because {+csfle-abbrev+} doesn't provide a mechanism to verify
+  the integrity of a schema, relying on a server-side schema means
+  trusting that the server's schema has not been tampered with. If an adversary
+  compromises the server, they can modify the schema so that a previously
+  encrypted field is no longer labeled for encryption. This causes the client 
+  to send plaintext values for that field.
+
+  For an example of {+csfle-abbrev+} configuration for client and server-side
+  schemas, see :ref:`CSFLE Server-Side Field Level Encryption Enforcement <field-level-encryption-automatic-remote-schema>`.
+
 .. _csfle-feature-comparison:
 
 Other Security Mechanisms
@@ -124,7 +152,7 @@ Comparison of Features
 The following diagram lists security features MongoDB supports
 and the potential security vulnerabilities that they address:
 
-.. image:: /images/CSFLE_Security_Feature_Chart.png
+.. image:: /images/QE_Security_Feature_Chart.png
    :alt: Diagram that describes MongoDB security features and the potential vulnerabilities that they address
 
 .. important:: Use the Mechanisms Together

source/core/csfle/reference/limitations.txt

@@ -1,3 +1,6 @@
+.. meta::
+   :keywords: CSFLE, in-use encryption, security, supported operations
+
 .. _csfle-reference-encryption-limits:
 
 =================
@@ -12,6 +15,13 @@ CSFLE Limitations
    :depth: 1
    :class: singlecol
 
+Overview
+--------
+Consider these limitations and restrictions before you enable {+csfle-abbrev+}.
+Some operations are unsupported, and others behave differently.
+
+For compatibility limitations, see :ref:`<csfle-compatibility-reference>`.
+
 Read and Write Operation Support
 --------------------------------
 

source/core/queryable-encryption.txt

@@ -49,6 +49,12 @@ You can set up {+qe+} using the following mechanisms:
 Considerations
 --------------
 
+When implementing an application that uses {+qe+}, consider the points listed
+in :ref:`Security Considerations <qe-security-considerations>`.
+
+For other limitations, see :ref:`{+qe+} limitations
+<qe-reference-encryption-limits>`.
+
 Compatibility
 ~~~~~~~~~~~~~
 

source/core/queryable-encryption/features.txt

@@ -37,6 +37,34 @@ that can use :ref:`Deterministic Encryption <csfle-deterministic-encryption>`,
 These schemes produce different encrypted output values even when given
 the same cleartext input.
 
+.. _qe-security-considerations:
+
+Security Considerations
+-----------------------
+
+* {+qe+} doesn't provide any cryptographic integrity
+  guarantees against adversaries with access to your {+cmk-long+} or
+  {+dek-long+}s.
+  
+* {+qe+} doesn't provide any cryptographic integrity
+  guarantees against adversaries with arbitrary write access to collections
+  containing encrypted data.
+ 
+* MongoDB uses :ref:`schema validation <schema-validation-overview>` to enforce
+  encryption of specific fields in a collection. Without a client-side schema,
+  the client downloads the server-side schema for the collection to determine 
+  which fields to encrypt. To avoid this issue, use client-side schema validation.
+  
+  Because {+qe+} doesn't provide a mechanism to verify
+  the integrity of a schema, relying on a server-side schema means
+  trusting that the server's schema has not been tampered with. If an adversary
+  compromises the server, they can modify the schema so that a previously
+  encrypted field is no longer labeled for encryption. This causes the client 
+  to send plaintext values for that field.
+
+  For an example of configuration for client and server-side
+  schemas, see the {+csfle-abbrev+} example at :ref:`CSFLE Server-Side Field Level Encryption Enforcement <field-level-encryption-automatic-remote-schema>`.
+
 How {+qe+} Works
 ------------------------------
 

source/core/queryable-encryption/reference/limitations.txt

@@ -1,3 +1,6 @@
+.. meta::
+   :keywords: Queryable Encryption, in-use encryption, security, contention, redaction, topology support, supported operations
+
 .. _qe-reference-encryption-limits:
 
 ===========