Overview概述
You can use the Node.js driver to encrypt specific document fields by using a set of features called in-use encryption. In-use encryption allows your application to encrypt data before sending it to MongoDB and query documents with encrypted fields.您可以使用Node.js驱动程序通过使用一组称为使用中加密的功能来加密特定的文档字段。使用中的加密允许您的应用程序在将数据发送到MongoDB之前对其进行加密,并使用加密字段查询文档。
Warning
MongoDB 8.2 Known IssueMongoDB 8.2已知问题
Version 8.2.0 of mongocryptd might not run on Windows. This bug affects In-Use Encryption with the driver if you specify the --logpath NUL argument when starting mongocryptd.mongocryptd 8.2.0版本可能无法在Windows上运行。如果在启动mongocryptd时指定--logpath-NUL参数,则此错误会影响驱动程序的使用中加密。
To learn more about this issue and how to resolve it, see Known Issues in the MongoDB 8.2 Release Notes.要了解有关此问题以及如何解决此问题的更多信息,请参阅MongoDB 8.2发行说明中的已知问题。
In-use encryption prevents unauthorized users from viewing plaintext data as it is sent to MongoDB or while it is in an encrypted database. To enable in-use encryption in an application and authorize it to decrypt data, you must create encryption keys that only your application can access. Only applications that have access to your encryption keys can access the decrypted, plaintext data. 使用中的加密可防止未经授权的用户在将明文数据发送到MongoDB时或在加密数据库中查看明文数据。要在应用程序中启用正在使用的加密并授权其解密数据,您必须创建只有您的应用程序可以访问的加密键。只有可以访问加密键的应用程序才能访问解密的明文数据。If an attacker gains access to the database, they can only see the encrypted ciphertext data because they lack access to the encryption keys.如果攻击者获得了对数据库的访问权限,他们只能看到加密的密文数据,因为他们无法访问加密键。
You might use in-use encryption to encrypt fields in your MongoDB documents that contain the following types of sensitive data:您可以使用在用加密来加密MongoDB文档中包含以下类型敏感数据的字段:
Credit card numbers信用卡号码Addresses地址Health information健康信息Financial information财务信息Any other sensitive or personally identifiable information (PII)任何其他敏感或个人身份信息(PII)
MongoDB offers the following features to enable in-use encryption:MongoDB提供以下功能以启用使用中的加密:
Queryable Encryption可查询加密
Queryable Encryption is the next-generation in-use encryption feature, first introduced as a preview feature in MongoDB Server version 6.0 and as a generally available (GA) feature in MongoDB 7.0. Queryable Encryption supports searching encrypted fields for equality and encrypts each value uniquely.可查询加密是下一代正在使用的加密功能,最初在MongoDB Server 6.0版本中作为预览功能引入,在MongoDB 7.0中作为通用(GA)功能引入。可查询加密支持在加密字段中搜索相等性,并对每个值进行唯一加密。
Important
Preview Feature Incompatible with MongoDB 7.0预览功能与MongoDB 7.0不兼容
The implementation of Queryable Encryption in MongoDB 6.0 is incompatible with the GA version introduced in MongoDB 7.0. The Queryable Encryption preview feature is no longer supported.MongoDB 6.0中可查询加密的实现与MongoDB 7.0中引入的GA版本不兼容。不再支持可查询加密预览功能。
To learn more about Queryable Encryption, see Queryable Encryption in the Server manual.要了解有关可查询加密的更多信息,请参阅服务器手册中的可查询加密。
Client-side Field Level Encryption客户端字段级加密
Client-side Field Level Encryption (CSFLE) was introduced in MongoDB Server version 4.2 and supports searching encrypted fields for equality. CSFLE differs from Queryable Encryption in that you can select either a deterministic or random encryption algorithm to encrypt fields. 客户端字段级加密(CSFLE)在MongoDB Server 4.2版本中引入,支持在加密字段中搜索相等性。CSFLE与可查询加密的不同之处在于,您可以选择确定性或随机加密算法来加密字段。You can only query encrypted fields that use a deterministic encryption algorithm when using CSFLE. When you use a random encryption algorithm to encrypt fields in CSFLE, they can be decrypted, but you cannot perform equality queries on those fields. When you use Queryable Encryption, you cannot specify the encryption algorithm, but you can query all encrypted fields.使用CSFLE时,您只能查询使用确定性加密算法的加密字段。当您使用随机加密算法加密CSFLE中的字段时,它们可以被解密,但您无法对这些字段执行相等查询。使用可查询加密时,不能指定加密算法,但可以查询所有加密字段。
When you deterministically encrypt a value, the same input value produces the same output value. While deterministic encryption allows you to perform queries on those encrypted fields, encrypted data with low cardinality is susceptible to code breaking by frequency analysis.当你对一个值进行确定性加密时,相同的输入值会产生相同的输出值。虽然确定性加密允许您对这些加密字段执行查询,但基数较低的加密数据容易受到频率分析的代码破坏。
Tip
To learn more about these concepts, see the following Wikipedia entries:要了解有关这些概念的更多信息,请参阅以下维基百科条目:
To learn more about CSFLE, see CSFLE in the Server manual.要了解有关CSFLE的更多信息,请参阅服务器手册中的CSFLE。