Encrypt Fields加密字段
Overview概述
You can encrypt fields in a document using a set of features called in-use encryption.您可以使用一组称为使用中加密的功能来加密文档中的字段。
In-use encryption enables your client applications to encrypt data before sending it to MongoDB, and to query documents with encrypted fields.使用中加密使您的客户端应用程序能够在将数据发送到MongoDB之前对其进行加密,并使用加密字段查询文档。
Because the driver encrypts the data before sending it to MongoDB, only your configured client applications can decrypt the data. 因为驱动程序在将数据发送到MongoDB之前会对其进行加密,所以只有您配置的客户端应用程序才能解密数据。Only applications using the driver with access to your encryption keys can access the decrypted, plaintext data. 只有使用能够访问加密键的驱动程序的应用程序才能访问解密的明文数据。Should you have unauthorized access to your database, an attacker could only see the encrypted, ciphertext data.如果您未经授权访问数据库,攻击者只能看到加密的密文数据。
In-use encryption can help prevent exposure of the following sensitive types of data:使用中的加密有助于防止以下敏感类型的数据暴露:
Credit card numbers信用卡号码Addresses地址Health information健康信息Financial information财务信息Any other sensitive or personally identifiable information (PII)任何其他敏感或个人身份信息(PII)
MongoDB offers the following ways to encrypt fields:MongoDB提供了以下加密字段的方法:
Queryable Encryption可查询加密
Queryable Encryption is the next-generation in-use encryption feature, introduced in MongoDB Server version 6.0 and available as a public preview. 可查询加密是下一代正在使用的加密功能,在MongoDB Server 6.0版本中引入,并作为公共预览版提供。Queryable Encryption supports searching encrypted fields for equality and encrypts each value uniquely.可查询加密支持在加密字段中搜索相等项,并对每个值进行唯一加密。
The MongoDB manual contains detailed information on the following Queryable Encryption topics:MongoDB手册包含以下可查询加密主题的详细信息:
To get started, see the要开始,请参阅Queryable Encryption Quick Start.可查询加密快速入门。To learn how to use Queryable Encryption, see the要了解如何使用可查询加密,请参阅Queryable Encryption Fundamentals.可查询加密基础知识。To learn how to integrate your implementation with a Key Management System, see the要了解如何将您的实施与键管理系统集成,请参阅Queryable Encryption Tutorials.可查询加密教程。To learn Queryable Encryption concepts, see the要了解可查询加密的概念,请参阅Queryable Encryption Reference.可查询加密参考。
Client-side Field Level Encryption客户端字段级加密
Client-side Field Level Encryption (CSFLE) was introduced in MongoDB Server version 4.2 and supports searching encrypted fields for equality. 客户端字段级加密(CSFLE)是在MongoDB Server 4.2版本中引入的,它支持搜索加密字段以获得相等性。CSFLE differs from Queryable Encryption in that it requires that the encrypted fields you want to search must be deterministically encrypted. CSFLE与可查询加密的不同之处在于,它要求要搜索的加密字段必须经过确定性加密。When you deterministically encrypt a value, the same input value produces the same output value. 当您决定性地加密一个值时,相同的输入值会产生相同的输出值。While deterministic encryption provides greater support for read operations, encrypted data with low cardinality虽然确定性加密为读取操作提供了更大的支持,但具有低基数
is susceptible to recovery using frequency analysis.的加密数据易于使用频率分析进行恢复。
The MongoDB manual contains detailed information on the following CSFLE topics:MongoDB手册包含以下CSFLE主题的详细信息:
To get started, see the CSFLE Quick Start.要开始,请参阅CSFLE快速入门。To learn how to use CSFLE, see the CSFLE Fundamentals.要了解如何使用CSFLE,请参阅CSFLE基础知识。To learn how to integrate your CSFLE implementation with a Key Management System, see the CSFLE Tutorials.要了解如何将CSFLE实现与键管理系统集成,请参阅CSFLE教程。To learn CSFLE concepts, see the CSFLE Reference.要了解CSFLE概念,请参阅CSFLE参考资料。