On this page本页内容
New in version 4.2.在版本4.2中新增。
Client-side field level encryption requires a Key Management Service (KMS) for accessing a Customer Master Key (CMK). 客户端字段级加密需要密钥管理服务(KMS)来访问客户主密钥(CMK)。MongoDB automatically encrypts data encryption keys using the specified CMK during data encryption key creation.MongoDB在数据加密密钥创建期间使用指定的CMK自动加密数据加密密钥。
Deleting the CMK renders all data encryption keys encrypted with that CMK as permanently unreadable, which in turn renders all values encrypted with those data encryption keys as permanently unreadable.删除CMK会使使用该CMK加密的所有数据加密密钥永久不可读,这反过来会使使用这些数据加密密钥加密的所有值永久不可读。
Client-side field level encryption supports the following KMS providers:客户端字段级加密支持以下KMS提供程序:
For AWS KMS support, use 对于AWS KMS支持,请使用mongosh, or the MongoDB 4.2.2 or later legacy mongo shell. mongosh或MongoDB 4.2.2或更高版本的mongoshell。The 4.2.0 and 4.2.1 legacy 由于KMS响应对象发生意外更改,4.2.0和4.2.1遗留mongo shell do not support the AWS KMS service due to an unexpected change in the KMS response object. mongo shell不支持AWS KMS服务。See SERVER-44721 for more information.有关更多信息,请参阅SERVER-44721。
MongoDB client-side encryption supports using the Amazon Web Services Key Management Service for encrypting and decrypting data encryption keys. MongoDB客户端加密支持使用Amazon Web Services密钥管理服务对数据加密密钥进行加密和解密。Specifically, MongoDB securely transmits the data encryption key to AWS KMS for encrypting or decrypting using the specified Customer Master Key (CMK). 具体而言,MongoDB将数据加密密钥安全地传输到AWS KMS,以便使用指定的客户主密钥(CMK)进行加密或解密。The CMK never leaves the AWS KMS.CMK从未离开AWS KMS。
mongosh supports two methods for configuring access to an AWS KMS:支持两种方法来配置对AWS KMS的访问:
Mongo() constructor to create a database connection with the required AWS KMS configuration options.Mongo()构造函数使用所需的AWS KMS配置选项创建数据库连接。Configuring access to an AWS KMS requires at minimum an AWS Access Key and its corresponding Secret Key. 配置对AWS KMS的访问至少需要一个AWS访问密钥及其对应的密钥。The IAM User associated to the Access Key must have at least one policy with the following actions:与访问密钥关联的IAM用户必须至少具有一个具有以下操作的策略:
kms:Encrypt(reference)kms:Decrypt(reference)Consider configuring IAM user roles such that MongoDB has only the access to the actions and resources required to function.考虑配置IAM用户角色,使MongoDB只能访问运行所需的操作和资源。
For example, the following policy JSON scopes the required actions to a single CMK:例如,以下策略JSON将所需操作范围限定到单个CMK:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt"
],
"Resource": "arn:aws:kms:region:account:key/12a345b6-cd7e-8f9g-0h1i-jk23l45mn6o7"
}
]
}
For complete documentation on data encryption key management using AWS KMS, see Manage Data Encryption Keys and select the "Amazon Web Services KMS" tab.有关使用AWS KMS进行数据加密密钥管理的完整文档,请参阅管理数据加密密钥并选择“Amazon Web Services KMS”选项卡。
MongoDB client-side encryption supports using the Azure Key Vault Key Management Service for encrypting and decrypting data encryption keys. MongoDB客户端加密支持使用Azure密钥库密钥管理服务加密和解密数据加密密钥。Specifically, MongoDB securely transmits the data encryption key to Azure Key Vault for encrypting or decrypting using the specified Customer Master Key (CMK). 具体而言,MongoDB将数据加密密钥安全地传输到Azure密钥库,以便使用指定的客户主密钥(CMK)进行加密或解密。The CMK never leaves the Azure Key Vault.CMK从未离开Azure密钥库。
mongosh supports specifying Azure Key Vault as a KMS using the Mongo() constructor using the KMS configuration options.mongosh支持使用Mongo()构造函数使用KMS配置选项将Azure密钥库指定为KMS。
Configuring access to Azure Key Vault requires at minimum an Azure Tenant ID, Client ID, and Client Secret. 配置对Azure密钥库的访问至少需要Azure租户ID、客户端ID和客户端密钥。The Tenant ID must have the ability to perform the following actions:租户ID必须能够执行以下操作:
wrap key(reference)unwrap key(reference)MongoDB does not support Azure's client certificate authentication (also known as TLS mutual authentication).MongoDB不支持Azure的客户端证书认证(也称为TLS相互认证)。
For complete documentation on data encryption key management using Azure Key Vault, see Manage Data Encryption Keys and select the "Azure Key Vault" tab.有关使用Azure密钥库进行数据加密密钥管理的完整文档,请参阅管理数据加密密钥并选择“Azure密钥库”选项卡。
MongoDB client-side encryption supports using the Google Cloud KMS for encrypting and decrypting data encryption keys. MongoDB客户端加密支持使用Google Cloud KMS加密和解密数据加密密钥。Specifically, MongoDB securely transmits the data encryption key to Google Cloud KMS for encrypting or decrypting using the specified Customer Master Key (CMK). 具体而言,MongoDB将数据加密密钥安全地传输到Google Cloud KMS,以便使用指定的客户主密钥(CMK)进行加密或解密。The CMK never leaves the Google Cloud KMS.CMK从未离开谷歌云KMS。
mongosh supports specifying Google Cloud KMS as a KMS using the 支持使用Mongo() constructor using the KMS configuration options.Mongo()构造函数使用KMS配置选项将Google Cloud KMS指定为KMS。
Configuring access to Google Cloud KMS requires at minimum a Google Cloud Email and associated Private Key. 配置对Google Cloud KMS的访问至少需要Google Cloud电子邮件和相关私钥。The Google Cloud Email account must have the following IAM permissions for the specified Private Key:Google Cloud电子邮件帐户必须对指定的私钥具有以下IAM权限:
cloudkms.cryptoKeyVersions.useToEncryptcloudkms.cryptoKeyVersions.useToDecryptThese IAM permissions are included in certain Google Cloud predefined roles or can be included in a Google Cloud custom role.这些IAM权限包含在某些Google Cloud预定义角色中,或者可以包含在Google Cloud自定义角色中。
For complete documentation on data encryption key management using Google Cloud KMS, see Manage Data Encryption Keys and select the "Google Cloud KMS" tab.有关使用Google Cloud KMS进行数据加密密钥管理的完整文档,请参阅管理数据加密密钥并选择“Google Cloud KMS”选项卡。
mongosh supports specifying a locally managed key as a KMS using the Mongo() constructor. The local key mustbe a 96-byte long string.
For complete documentation on data encryption key management using a locally managed key, see Manage Data Encryption Keys and select the "Local Keyfile" tab.有关使用本地管理密钥管理数据加密密钥的完整文档,请参阅管理数据加密键并选择“本地密钥文件”选项卡。
The key vault is a collection that stores data encryption keys for use with client-side field level encryption. 密钥库是一个集合,存储用于客户端字段级加密的数据加密密钥。Data encryption keys are encrypted using a Customer Master Key (CMK) managed through a supported Key Management System (KMS).数据加密密钥使用通过支持的密钥管理系统(KMS)管理的客户主密钥(CMK)进行加密。
mongosh provides helper methods for data encryption key management:提供了用于数据加密密钥管理的帮助器方法:
|
|
Applications with 具有密钥库集合read access to the key vault collection can retrieve data encryption keys by querying the collection. read权限的应用程序可以通过查询集合来检索数据加密密钥。However, only applications with access to the CMK used to encrypt a data encryption key can use that key for encryption or decryption.然而,只有访问用于加密数据加密密钥的CMK的应用程序才能使用该密钥进行加密或解密。
By default MongoDB stores the key vault collection on the connected cluster. 默认情况下,MongoDB在连接的集群上存储密钥库集合。MongoDB also supports specifying a remote cluster as the key vault. MongoDB还支持将远程集群指定为密钥库。Applications must have access to both the remote key vault cluster and the connection cluster to perform client-side field level encryption operations.应用程序必须能够访问远程密钥库群集和连接群集,才能执行客户端字段级加密操作。
Data encryption keys have the following structure:数据加密密钥具有以下结构:
{
"_id" : UUID("<string>"),
"keyMaterial" : BinData(0,"<encrypted binary data string>"),
"creationDate" : ISODate("2019-08-20T15:45:02.575Z"),
"updateDate" : ISODate("2019-08-20T15:45:02.575Z"),
"status" : <int>,
"version" : NumberLong(0),
"masterKey" : {
"provider" : "<string>",
"key" : "<string>",
"region" : "<string>",
"endpoint" : "<string>"
},
"keyAltNames" : [
"<string>"
]
}
Client-side field level encryption depends on uniqueness of 客户端字段级加密取决于keyAltNames values. keyAltNames值的唯一性。The mongoshKeyVault.createKey() method creates a unique index on keyAltNames if one does not exist. mongosh KeyVault.createKey()方法在keyAltNames上创建唯一索引(如果不存在)。Applications can use the 应用程序可以对密钥vault集合使用listIndexes command against the key vault collection to check if the unique index exists. listIndexes命令来检查是否存在唯一索引。If the unique index does not exist, applications must create it prior to performing data encryption key management.如果不存在唯一索引,应用程序必须在执行数据加密密钥管理之前创建它。
For complete documentation on data encryption key management, see Manage Data Encryption Keys.有关数据加密密钥管理的完整文档,请参阅管理数据加密密钥。