Automatic Client-Side Field Level Encryption自动客户端字段级加密

Overview概述

Official MongoDB 4.2+ compatible drivers, mongosh, and the MongoDB 4.2 or later legacy mongo shell support automatically encrypting fields in read and write operations. 官方MongoDB 4.2+兼容驱动程序、mongosh和MongoDB 4.2或更高版本的mongoshell支持在读写操作中自动加密字段。For a complete list of official 4.2+ compatible drivers with support for client-side field level encryption, see Driver Compatibility Table.有关支持客户端字段级加密的官方4.2+兼容驱动程序的完整列表，请参阅驱动程序兼容性表。

Applications must create a database connection object (e.g. MongoClient) with the automatic encryption configuration settings. 应用程序必须使用自动加密配置设置创建数据库连接对象（例如MongoClient）。The configuration settings must include automatic encryption encryption rules using a strict subset of the JSON Schema Draft 4 standard syntax and encryption-specific schema keywords. 配置设置必须包括使用JSON Schema Draft 4标准语法和加密特定模式关键字的严格子集的自动加密加密规则。Applications do not have to modify code associated with constructing the read/write operation. 应用程序不必修改与构造读/写操作相关的代码。See Automatic Encryption Rules for complete documentation on automatic encryption rules.有关自动加密规则的完整文档，请参阅自动加密规则。

The official MongoDB 4.2+ compatible drivers, mongosh, and the MongoDB 4.2 or later legacy mongo shell use the Enterprise-only mongocryptd process to parse the automatic encryption rules and apply the encryption rules when reading or writing documents:官方MongoDB 4.2+兼容驱动程序mongosh和MongoDB 4.2或更高版本的mongoshell使用仅用于企业版的mongocryptd进程解析自动加密规则，并在读取或写入文档时应用加密规则：

• For write operations, the driver/shell encrypts field values prior to writing to the MongoDB database.对于写入操作，驱动程序/shell在写入MongoDB数据库之前对字段值进行加密。
• For read operations, the driver/shell encrypts field values in the query prior to issuing the read operation.对于读取操作，驱动程序/外壳在发出读取操作之前对查询中的字段值进行加密。
• For read operations that returns encrypted fields, the driver/shell automatically decrypts the encrypted values only if the driver/shell was configured with access to the keys used to protect those values.对于返回加密字段的读取操作，只有当驱动程序/外壳配置为可以访问用于保护这些值的密钥时，驱动程序/shell才会自动解密加密值。

Enabling Automatic Client-Side Field Level Encryption启用自动客户端字段级加密

Each official MongoDB 4.2+ compatible driver introduces new functionality for supporting automatic encryption and data encryption key management. 每个官方MongoDB 4.2+兼容驱动程序都引入了支持自动加密和数据加密密钥管理的新功能。Defer to your preferred driver's documentation for language-specific instructions on implementing automatic client-side field level encryption.有关实现自动客户端字段级加密的特定语言说明，请参阅首选驱动程序文档。

mongosh adds an additional option to the Mongo() method for instantiating a database connection with automatic client-side field level encryption. 为Mongo()方法添加了一个附加选项，用于使用自动客户端字段级加密实例化数据库连接。For a complete example, see Connect to a MongoDB Cluster with Automatic Client-Side Encryption Enabled.有关完整的示例，请参阅连接到启用了自动客户端加密的MongoDB群集。

Automatic client-side field level encryption requires access to the mongocryptd process on the client host machine. 自动客户端字段级加密需要访问客户端主机上的mongocryptd进程。See mongocryptd for complete documentation on installation. 有关安装的完整文档，请参阅mongocryptd。The official MongoDB 4.2+ compatible drivers have additional options for managing the mongocryptd process. Generally, the 4.2+ compatible drivers and mongosh can access the mongocryptd process if it is in the system PATH.官方MongoDB 4.2+兼容驱动程序提供了管理mongocryptd进程的其他选项。一般来说，如果mongocryptd进程位于系统PATH中，则4.2+兼容驱动程序和mongosh可以访问该进程。

Applications must specify the following components when instantiating the database connection to enable automatic client-side field level encryption:应用程序在实例化数据库连接时必须指定以下组件以启用自动客户端字段级加密：

• A key vault of data encryption keys. 数据加密密钥的k密钥库。The key vault can reside on either a remote MongoDB cluster or the MongoDB cluster storing client-side encrypted data.密钥库可以位于远程MongoDB集群或存储客户端加密数据的MongoDB集群上。

• A supported Key Management Service (KMS) provider used to manage Customer Master Keys (CMK). 用于管理客户主密钥（CMK）的受支持的密钥管理服务（KMS）提供程序。MongoDB encrypts all data encryption keys using the specified CMK prior to storing them in the key vault, leaving only metadata unencrypted.MongoDB使用指定的CMK加密所有数据加密密钥，然后将其存储在密钥库中，只保留未加密的元数据。

  4.2+ compatible drivers, mongosh, and the MongoDB 4.2 or later legacy mongo shell need access to the KMS to encrypt and decrypt protected fields or to create new data encryption keys.4.2+兼容驱动程序、mongosh和MongoDB 4.2或更高版本的mongoshell需要访问KMS来加密和解密受保护的字段或创建新的数据加密密钥。

• Per-field automatic encryption rules using JSON schema syntax.使用JSON模式语法的每个字段自动加密规则。

Server-Side Field Level Encryption Enforcement服务器端现场级加密实施

Starting in MongoDB 4.2, the server supports using schema validation to enforce encryption of specific fields in a collection. 从MongoDB 4.2开始，服务器支持使用模式验证来强制加密集合中的特定字段。Clients performing automatic client-side field level encryption have specific behavior depending on the database connection configuration:执行自动客户端字段级加密的客户端具有特定的行为，具体取决于数据库连接配置：

• If the connection ClientSideFieldLevelEncryptionOptionsschemaMap object contains a key for the specified collection, the client uses that object to perform automatic field level encryption and ignores the remote schema. 如果连接ClientSideFieldLevelEncryptionOptions schemaMap对象包含指定集合的密钥，则客户端将使用该对象执行自动字段级加密，并忽略远程模式。At minimum, the local rules must encrypt those fields that the remote schema marks as requiring encryption.至少，本地规则必须对远程模式标记为需要加密的字段进行加密。

• If the connection ClientSideFieldLevelEncryptionOptionsschemaMap object does not contain a key for the specified collection, the client downloads the server-side remote schema for the collection and uses it to perform automatic field level encryption.如果连接ClientSideFieldLevelEncryptionOptions schemaMap对象不包含指定集合的密钥，则客户端将下载该集合的服务器端远程模式，并使用它执行自动字段级加密。

  This configuration requires the client to trust the server has a valid schema with respect to automatic field level encryption. 此配置要求客户端信任服务器具有关于自动字段级加密的有效架构。The client only uses the remote schema to perform automatic field level encryption and does not enforce any other validation rules specified in the schema.客户端仅使用远程模式执行自动字段级加密，不强制执行模式中指定的任何其他验证规则。

For complete documentation on server-side client-side field level encryption enforcement, see Enforce Field Level Encryption Schema.有关服务器端客户端字段级加密实施的完整文档，请参阅实施字段级加密架构。