On this page本页内容
New in version 4.2.在版本4.2中新增。
ClientEncryption.decrypt(encryptedValue)
ClientEncryption.decrypt() decrypts the encryptionValue ifthe current database connection was configured with access to the Key Management Service (KMS) and key vault used to encrypt encryptionValue.encryptionValue的密钥保管库,ClientEncryption.decrypt()将解密encryptonValue。
decrypt() has the following syntax:具有以下语法:
clientEncryption = db.getMongo().getClientEncryption() clientEncryption.decrypt(encryptedValue)
The encryptedValue must be a binary data object with subtype 6 created using client-side field level encryption.encryptedValue必须是使用客户端字段级加密创建的子类型为6的二进制数据对象。
Read operations issued from a database connection 从配置为访问正确密钥管理服务(KMS)的数据库连接发出的读取操作,密钥库可以自动解密使用configured with access to the correct Key Management Service (KMS) and Key Vault can automatically decrypt field values encrypted using ClientEncryption.encrypt(). ClientEncryption.encrypt()加密的字段值。Clients only need to use 客户端只需要使用decrypt() to decrypt Binary subtype 6 values not stored within a document field.decrypt()来解密未存储在文档字段中的Binary子类型6值。
The mongo client-side field level encryption methods require a database connection with client-side field level encryption enabled. mongo客户端字段级加密方法需要启用客户端字段级密码的数据库连接。If the current database connection was not initiated with client-side field level encryption enabled, either:如果当前数据库连接未在启用客户端字段级加密的情况下启动,请执行以下任一操作:
Use the 使用Mongo() constructor from the mongo shell to establish a connection with the required client-side field level encryption options. mongoshell中的Mongo()构造函数与所需的客户端字段级加密选项建立连接。The Mongo() method supports the following Key Management Service (KMS) providers for Customer Master Key (CMK) management:Mongo()方法支持以下密钥管理服务(KMS)提供商进行客户主密钥(CMK)管理:
or
mongo shell command line options to establish a connection with the required options. mongo shell命令行选项与所需选项建立连接。The following example uses a locally managed KMS for the client-side field level encryption configuration.以下示例使用本地管理的KMS进行客户端字段级加密配置。
Configuring client-side field level encryption for a locally managed key requires specifying a base64-encoded 96-byte string with no line breaks. 为本地管理的密钥配置客户端字段级加密需要指定一个base64编码的96字节字符串,不带换行符。The following operation generates a key that meets the stated requirements and loads it into the 以下操作生成满足所述要求的密钥,并将其加载到mongo shell:mongoshell中:
TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')") mongosh --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"
Create the client-side field level encryption object using the generated local key string:使用生成的本地密钥字符串创建客户端字段级加密对象:
var ClientSideFieldLevelEncryptionOptions = { "keyVaultNamespace" : "encryption.__dataKeys", "kmsProviders" : { "local" : { "key" : BinData(0, TEST_LOCAL_KEY) } } }
Use the 使用Mongo() constructor to create a database connection with the client-side field level encryption options. Mongo()构造函数创建带有客户端字段级加密选项的数据库连接。Replace the 更换mongodb://myMongo.example.net URI with the connection string URI of the target cluster.mongodb://myMongo.example.net带有目标群集的连接字符串URI的URI。
encryptedClient = Mongo(
"mongodb://myMongo.example.net:27017/?replSetName=myMongo",
ClientSideFieldLevelEncryptionOptions
)
Retrieve the 检索ClientEncryption object and use the ClientEncryption.decrypt() method to decrypt a value encrypted by ClientEncryption.encrypt().ClientEncryption对象并使用ClientEncryption.decrypt()方法解密由ClientEncryption.encrypt()加密的值。
clientEncryption = encryptedClient.getClientEncryption(); clientEncryption.decrypt(BinData(6,"AmTi2H3xaEk8u9+jlFNaLLkC3Q/+kmwDbbWrq+h9nuv9W+u7A5a0UnpULBNZH+Q21fAztPpU09wpKPrju9dKfpN1Afpj1/ZhFcH6LYZOWSBBOAuUNjPLxMNSYOOuITuuYWo="))
If successful, 如果成功,decrypt() returns the decrypted value:decrypt()将返回解密的值:
"123-45-6789"
For complete documentation on initiating MongoDB connections with client-side field level encryption enabled, see 有关在启用客户端字段级加密的情况下启动MongoDB连接的完整文档,请参阅Mongo().Mongo()。