On this page本页内容
New in version 4.2.在版本4.2中新增。
KeyVault.getKeys()
getKeys() returns all data encryption keys stored in the key vault associated to the database connection.返回存储在与数据库连接关联的密钥库中的所有数据加密密钥。
getKeys() has the following syntax:具有以下语法:
keyVault = db.getMongo().getKeyVault() keyVault.getKeys()
|
The mongo client-side field level encryption methods require a database connection with client-side field level encryption enabled. If the current database connection was not initiated with client-side field level encryption enabled, either:
Use the Mongo() constructor from the mongo shell to establish a connection with the required client-side field level encryption options. The Mongo() method supports the following Key Management Service (KMS) providers for Customer Master Key (CMK) management:
or
mongo shell command line options to establish a connection with the required options. The command line options only support the Amazon Web Services KMS provider for CMK management.The following example uses a locally managed KMS for the client-side field level encryption configuration.以下示例将本地管理的KMS用于客户端字段级加密配置。
Configuring client-side field level encryption for a locally managed key requires specifying a base64-encoded 96-byte string with no line breaks. 为本地管理的密钥配置客户端字段级加密需要指定不带换行符的base64编码的96字节字符串。The following operation generates a key that meets the stated requirements and loads it into the 以下操作生成满足所述要求的密钥并将其加载到mongo shell:mongo shell中:
TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')") mongosh --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"
Create the client-side field level encryption object using the generated local key string:
var ClientSideFieldLevelEncryptionOptions = { "keyVaultNamespace" : "encryption.__dataKeys", "kmsProviders" : { "local" : { "key" : BinData(0, TEST_LOCAL_KEY) } } }
Use the Mongo() constructor to create a database connection with the client-side field level encryption options. Replace the mongodb://myMongo.example.net URI with the connection string URI of the target cluster.
encryptedClient = Mongo(
"mongodb://myMongo.example.net:27017/?replSetName=myMongo",
ClientSideFieldLevelEncryptionOptions
)
Retrieve the KeyVault object and use the KeyVault.getKeys() method to retrieve all data encryption keys in the key vault:
keyVault.getKeys()
getKeys() returns all data encryption keys in the key vault, with output similar to the following:返回密钥库中的所有数据加密密钥,输出类似于以下内容:
{
"_id" : UUID("b4b41b33-5c97-412e-a02b-743498346079"),
"keyMaterial" : BinData(0,"PXRsLOAYxhzTS/mFQAI8486da7BwZgqA91UI7NKz/T/AjB0uJZxTvhvmQQsKbCJYsWVS/cp5Rqy/FUX2zZwxJOJmI3rosPhzV0OI5y1cuXhAlLWlj03CnTcOSRzE/YIrsCjMB0/NyiZ7MRWUYzLAEQnE30d947XCiiHIb8a0kt2SD0so8vZvSuP2n0Vtz4NYqnzF0CkhZSWFa2e2yA=="),
"creationDate" : ISODate("2021-03-15T12:21:13.123Z"),
"updateDate" : ISODate("2021-03-15T12:21:13.123Z"),
"status" : 0, "version" : NumberLong(0),
"masterKey" : {
"provider" : "local"
},
"keyAltNames" : [
"alpha"
]
}
{
"_id" : UUID("f1add015-c7ab-49a2-a071-50b0ca0a8fbc"),
"keyMaterial" : BinData(0,"E+0jZKzA4YuE1lGmSVIy2mivqH4JxFo0yFATdxYX/s0YtMFsgVXyu7Bbn4IQ2gn7F/9JAPJFOxdQc5lN3AR+oX33ewVZsd63f3DN1zzcukqdR2Y+EeO7ekRxyRjdzMaNNrBNIv9Gn5LEJgWPSYkG8VczF7cNZnc1YmnR0tuDPNYfm0J7dCZuZUNWW3FCGRcdFx6AlXiCtXKNR97hJ216pQ=="),
"creationDate" : ISODate("2021-03-16T18:22:43.733Z"),
"updateDate" : ISODate("2021-03-16T18:22:43.733Z"),
"status" : 0, "version" : NumberLong(0),
"masterKey" : {
"provider" : "local"
},
"keyAltNames" : [
"baker"
]
}