Explicit (Manual) Client-Side Field Level Encryption显式（手动）客户端字段级加密

~~On this page~~本页内容

~~Overview~~概述
~~Enabling Explicit Client-Side Field Level Encryption~~启用显式客户端字段级加密
~~Server-Side Field Level Encryption Enforcement~~服务器端字段级加密强制

Overview概述

MongoDB 4.2+ compatible drivers, mongosh, and the MongoDB 4.2 or later legacy mongo shell support explicitly encrypting or decrypting fields with a specific data encryption key and encryption algorithm.MongoDB 4.2+兼容驱动程序、mongosh和MongoDB 4.2或更高版本的mongo shell支持使用特定数据加密密钥和加密算法对字段进行显式加密或解密。

~~Applications must modify any code associated with constructing read and write operations to include encryption/decryption logic via the driver encryption library.~~ 应用程序必须通过驱动程序加密库修改与构建读写操作相关的任何代码，以包括加密/解密逻辑。~~Applications are responsible for selecting the appropriate data encryption key for encryption/decryption on a per-operation basis.~~应用程序负责根据每个操作选择用于加密/解密的适当数据加密密钥。

mongosh ~~provides the following methods for performing explicit encryption and decryption:~~提供了以下用于执行显式加密和解密的方法：

~~MongoDB 4.2+ compatible drivers have specific syntax for performing explicit client-side field level encryption.~~ MongoDB 4.2+兼容驱动程序具有用于执行显式客户端字段级加密的特定语法。~~See Driver Compatibility Table for a complete list of 4.2+ compatible drivers with support for client-side field level encryption.~~ 有关支持客户端字段级加密的4.2+兼容驱动程序的完整列表，请参阅驱动程序兼容性表。~~Defer to the documentation for your preferred driver for specific instructions on performing client-side field level encryption.~~有关执行客户端字段级加密的具体说明，请参阅首选驱动程序的文档。

~~The following operation issued from mongosh explicitly encrypts the taxid field as part of a write operation.~~mongosh发出的以下操作作为写入操作的一部分显式加密taxid字段。

clientEncryption = encryptedClient.getClientEncryption()
db.getSiblingDB("hr").getCollection("employees").insertOne({
  "name" : "J. Doe",
  "taxid" : clientEncryption.encrypt(
      UUID("64e2d87d-f168-493c-bbdf-a394535a2cb9"),
      "123-45-6789",
      "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
   )
})

~~The following operation issued from mongosh explicitly encrypts the taxid field as part of a read operation:~~mongosh发出的以下操作作为读取操作的一部分显式加密滑行字段：

encrypt = encryptedClient.getClientEncryption()
db.getSiblingDB("hr").getCollection("employees").findOne({
  "taxid" : clientEncryption.encrypt(
     UUID("64e2d87d-f168-493c-bbdf-a394535a2cb9"),
     "123-45-6789",
     "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
   )
})

These operations assumes that the database connection configuration specified a key vault and key management service with access to the specified data encryption key and its associated customer master key.这些操作假定数据库连接配置指定了密钥库和密钥管理服务，可以访问指定的数据加密密钥及其关联的客户主密钥。

For read operations that returns encrypted fields, the driver/shell automatically decrypts the encrypted values only if the driver/shell was configured with access to the keys used to protect those values.对于返回加密字段的读取操作，只有当驱动程序/外壳配置为可以访问用于保护这些值的密钥时，驱动程序/shell才会自动解密加密值。

Enabling Explicit Client-Side Field Level Encryption启用显式客户端字段级加密

~~Each official MongoDB 4.2+ compatible driver introduces new functionality for supporting client-side field level encryption and data encryption key management.~~ 每个官方MongoDB 4.2+兼容驱动程序都引入了支持客户端字段级加密和数据加密密钥管理的新功能。~~Defer to your preferred driver's documentation for language-specific instructions on implementing explicit client-side field level encryption.~~有关实现显式客户端字段级加密的语言特定说明，请参阅首选驱动程序文档。

~~mongosh adds an additional option to the Mongo() method for instantiating a database connection with explicit client-side field level encryption.~~ mongosh为Mongo()方法添加了一个附加选项，用于通过显式客户端字段级加密实例化数据库连接。~~For a complete example, see Connect to a MongoDB Cluster with Client-Side Encryption Enabled.~~有关完整示例，请参阅连接到启用客户端加密的MongoDB群集。

~~Applications must specify the following components when instantiating the database connection to enable explicit client-side field level encryption:~~应用程序在实例化数据库连接时必须指定以下组件以启用显式客户端字段级加密：

~~A key vault of data encryption keys.~~ 数据加密密钥的密钥库。~~The key vault can reside on either a remote MongoDB cluster or the MongoDB cluster storing client-side encrypted data.~~密钥库可以位于远程MongoDB集群或存储客户端加密数据的MongoDB集群上。
A supported Key Management Service (KMS) provider used to manage Customer Master Keys (CMK). MongoDB encrypts all data encryption keys using the specified CMK prior to storing them in the key vault, leaving only metadata unencrypted.用于管理客户主密钥（CMK）的受支持的密钥管理服务（KMS）提供程序。MongoDB使用指定的CMK加密所有数据加密密钥，然后将其存储在密钥库中，只保留未加密的元数据。

~~4.2+ compatible drivers, mongosh, and the MongoDB 4.2 or later legacy mongo shell need access to the KMS to encrypt and decrypt protected fields or to create new data encryption keys.~~4.2+兼容驱动程序、mongosh和MongoDB 4.2或更高版本的mongoshell需要访问KMS来加密和解密受保护的字段或创建新的数据加密密钥。

Server-Side Field Level Encryption Enforcement服务器端字段级加密强制

~~The MongoDB 4.2 server supports using schema validation to enforce encryption of specific fields in a collection.~~ MongoDB 4.2服务器支持使用模式验证来强制加密集合中的特定字段。~~If the collection validation $jsonSchema requires encryption for a field, clients performing explicit (manual) field level encryption mustencrypt that field.~~如果集合验证$jsonSchema需要对字段进行加密，则执行显式（手动）字段级加密的客户端必须对该字段进行加密。

~~For complete documentation on server-side client-side field level encryption enforcement, see Enforce Field Level Encryption Schema.~~有关服务器端客户端字段级加密强制的完整文档，请参阅强制字段级加密模式。

← Appendix Master Key and Data Encryption Key Management →