Automatic Encryption Rules自动加密规则

On this page本页内容

Note注意
Enterprise Feature企业功能

The automatic feature of field level encryption is only available in MongoDB Enterprise 4.2 or later, and MongoDB Atlas 4.2 or later clusters.字段级加密的自动功能仅在MongoDB Enterprise 4.2或更高版本以及MongoDB Atlas 4.2或更晚版本集群中可用。

Automatic client-side field level encryption requires user-specified rules which identify which fields must be encrypted and how to encrypt those fields. 自动客户端字段级加密需要用户指定的规则来标识哪些字段必须加密以及如何加密这些字段。Applications must specify the automatic encryption rules using a strict subset of the JSON Schema Draft 4 standard syntax and the following encryption-specific keywords:应用程序必须使用JSON Schema Draft 4标准语法的严格子集和以下加密特定关键字指定自动加密规则:

Consider a MongoDB database where the employees collection in the hr database contains documents which resemble the following:考虑MongoDB数据库,其中hr数据库中的employees集合包含如下文档:

{
  "fname" : "Jo",
  "lname" : "Doe",
  "taxid" : "123-45-6789",
  "taxid-short" : "6789"
}

The taxid and taxid-short fields contain personally identifiable information (PII) that must be protected from unauthorized viewing on both the client and the server. taxidtaxid-short字段包含个人识别信息(PII),必须防止在客户端和服务器上未经授权的查看。The following automatic encryption rules for the hr.employees collection mark the taxid and taxid-short fields for automatic client-side field level encryption. 以下hr.eemployees集合的自动加密规则将taxidtaxid-short字段标记为自动客户端字段级加密。Official MongoDB 4.2+ compatible drivers, mongosh, and the 4.2 or later legacy mongo shell configured with these rules automatically encrypt the taxid and taxid-short fields for write or read operations to the hr.employees collection.官方MongoDB 4.2+兼容驱动程序mongosh以及配置了这些规则的4.2或更高版本的mongoshell会自动加密taxidtaxid-short字段,以便对hr.employees集合进行写入或读取操作。

{
  "hr.employees": {
    "bsonType": "object",
    "properties": {
      "taxid": {
        "encrypt": {
          "keyId": [UUID("11d58b8a-0c6c-4d69-a0bd-70c6d9befae9")],
          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512_Random",
          "bsonType" : "string"
        }
      },
      "taxid-short": {
        "encrypt": {
          "keyId": [UUID("2ee77064-5cc5-45a6-92e1-7de6616134a8")],
          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
          "bsonType": "string"
        }
      }
    }
  }
}
Important重要

Automatic client-side field level encryption supports a strict subset of the JSON schema syntax only for defining encryption behavior. 自动客户端字段级加密仅支持用于定义加密行为的JSON模式语法的严格子集。Do not specify document validation keywords in the automatic encryption rules. 不要在自动加密规则中指定文档验证关键字。To define document validation rules, configure server-side schema validation.要定义文档验证规则,请配置服务器端模式验证

encrypt Schema Keyword架构关键字

"bsonType" : "object",
"properties" : {
  "<fieldName>" : {
    "encrypt" : {
      "algorithm" : "<string>",
      "bsonType" : "<string>" | [ "<string>" ],
      "keyId" : [ <UUID> ]
    }
  }
}
encrypt

Object

Indicates that <fieldName> must be encrypted. 指示<fieldName>必须加密。The encrypt object has the following requirements:encrypt对象具有以下要求:

  • encrypt cannot have any sibling fields in the <fieldName> object. <fieldName>对象中encrypt不能有任何同级字段。encrypt must be the only child of the <fieldName> object.必须是<fieldName>对象的唯一子级。
  • encrypt cannot be specified within any subschema of the items or additionalItems keywords. 不能在itemsadditionalItems关键字的任何子模式中指定。Specifically, automatic client-side field level encryption does not support encrypting individual elements of an array.具体来说,自动客户端字段级加密不支持对数组的各个元素进行加密。

The encrypt object can contain only the following fields:encrypt对象能包含以下字段:

Including any other field to the encrypt object results in errors when issuing automatically encrypted read or write operations在发出自动加密的读或写操作时,在encrypt对象中包含任何其他字段都会导致错误

If keyId or algorithm are omitted, the mongocryptd checks the full tree of parent fields and attempts to construct those options from the nearest encryptMetadata object that specifies the option. 如果省略了keyIdalgorithmmongocryptd将检查父字段的完整树,并尝试从指定选项的最近的encryptMetadata对象构造这些选项。bsonType cannot be inherited and may be required depending on the value of algorithm.不能继承,可能需要根据algorithm的值而定。

If mongocryptd cannot construct the full encrypt object using the fields specified to the object and any required encryptMetadata-inherited keys, automatic encryption fails and returns an error.如果mongocrypted无法使用指定给对象的字段和任何必需的encryptMetadata继承的密钥构造完全encrypt 对象,则自动加密失败并返回错误。

encrypt.algorithm

String

Indicates which encryption algorithm to use when encrypting values of <fieldName>. 指示加密<fieldName>值时要使用的加密算法。Supports the following algorithms only:仅支持以下算法:

  • AEAD_AES_256_CBC_HMAC_SHA_512-Random
  • AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic

For complete documentation on the encryption algorithms, see Encryption Algorithms.有关加密算法的完整文档,请参阅加密算法

If omitted, mongocryptd checks the full tree of parent fields for the nearest encryptMetadata.algorithm key and inherits that value. If no parent algorithm exists, automatic field level encryption fails and returns an error.

  • If encrypt.algorithm or its inherited value is AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic, the encrypt object requires the encrypt.bsonType field.
  • If encrypt.algorithm or its inherited value is AEAD_AES_256_CBC_HMAC_SHA_512-Random, the encrypt object may include the encrypt.bsonType field.
encrypt.bsonType

String | Array of Strings

The BSON type of the field being encrypted. Required if encrypt.algorithm is AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic.要加密的字段的BSON类型。如果encrypt.algorithmAEAD_AES_256_CBC_HMAC_SHA_512-Deterministic,则需要。

If encrypt.algorithm or its inherited value is AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic, bsonTypemust specify a single type. 如果encrypt.algorithm或其继承值为AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic,则bsonType必须指定单个类型。bsonType does notsupport any of the following BSON types with the deterministic encryption algorithm:bsonType不支持具有确定性加密算法的以下任何BSON类型:

  • double
  • decimal128
  • bool
  • object
  • array
  • javascriptWithScope (Deprecated)

If encrypt.algorithm or its inherited value is AED_AES_256_CBC_HMAC_SHA_512-Random, bsonType is optional and may specify an array of supported bson types. 如果encrypt.algorithm或其继承值为AED_AES_256_CBC_HMAC_SHA_512-Random,则bsonType是可选的,可以指定受支持的bson类型的数组。For fields with bsonType of array or object, the client encrypts the entire array or object and not their individual elements.对于bsonTypearrayobject的字段,客户端将加密整个数组或对象,而不是其单个元素。

encrypt.bsonType does not support the following types regardless of encrypt.algorithm or its inherited value:无论encrypt.algorithm或其继承值如何,都不支持以下类型:

  • minKey
  • maxKey
  • null
  • undefined
encrypt.keyId

Array of single UUID单个UUID数组

The UUID of the data encryption key to use for encrypting field values. 用于加密字段值的数据加密密钥的UUID。The UUID is a BSON binary data element of subtype 4.UUID是子类型4的BSON二进制数据元素。

Specify one string inside the array.在数组中指定一个字符串。

If omitted, mongocryptd checks the full tree of parent fields for the nearest encryptMetadata.keyId key and inherits that value. 如果省略,mongocryptd将检查父字段的完整树中最近的encryptMetadata.keyId密钥,并继承该值。If no parent keyId exists, automatic field level encryption fails and returns an error.如果不存在父keyId,则自动字段级加密失败并返回错误。

The keyId or its inherited value mustexist in the key vault specified as part of the auto encryption configuration options. If the specified data encryption key does not exist, automatic encryption fails.如果指定的数据加密密钥不存在,则自动加密失败。

Official MongoDB 4.2+ compatible drivers have language-specific requirements for specifying the UUID. 官方MongoDB 4.2+兼容驱动程序对指定UUID有特定语言的要求。Defer to the driver documentation for complete documentation on implementing client-side field level encryption.

encryptMetadata Schema Keyword架构关键字

{
  "bsonType" : "object",
  "encryptMetadata" : {
    "algorithm" : "<string>",
    "keyId" : [ <UUID> ]
  },
  "properties" : {
    "encrypt" : {}
  }
}
encryptMetadata

Object

Defines encryption options which an encrypt object nested in the sibling properties may inherit. 定义嵌套在同级properties中的encrypt对象可以继承的加密选项。If an encrypt is missing an option required to support encryption, mongocryptd searches the entire tree of parent objects to locate an encryptMetadata object that specifies the missing option.

encryptMetadata must be specified in subschemas with bsonType: "object". encryptMetadata cannot be specified to any subschema of the items or additionalItems keywords. Specifically, automatic client-side field level encryption does not support encrypting individual elements of an array.

The encryptMetadata object can contain only the following fields. Including any other field to the encrypt object results in errors when issuing automatically encrypted read or write operations:

encryptMetadata.algorithm

String

The encryption algorithm to use to encrypt a given field. 用于加密给定字段的加密算法。If an encrypt object is missing the algorithm field, mongocryptd searches the entire tree of parent objects to locate an encryptMetadata object that specifies encryptMetadata.algorithm.如果encrypt对象缺少algorithm字段,mongocrypted将搜索整个父对象树,以查找指定encryptMetadata.algorithmencryptMetadata对象。

Supports the following algorithms only:支持以下算法:

  • AEAD_AES_256_CBC_HMAC_SHA_512-Random
  • AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic

For complete documentation on the encryption algorithms, see Encryption Algorithms.有关加密算法的完整文档,请参阅加密算法

If specifying AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic, any encrypt object inheriting that value must specify encrypt.bsonType.如果指定AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic,则继承该值的任何encrypt对象都必须指定encrypt.bsonType

encryptMetadata.keyId

Array of single UUID单个UUID数组

The UUID of a data encryption key. 数据加密密钥的UUID。The UUID is a BSON binary data element of subtype 4.UUID是子类型4的BSON二进制数据元素。

Specify one string inside the array.在数组中指定一个字符串。

If an encrypt object is missing the keyId field, mongocryptd searches the entire tree of parent objects to locate an encryptMetadata object that specifies encryptMetadata.keyId.如果encrypt对象缺少keyId字段,mongocrypted将搜索整个父对象树,以查找指定encryptMetadata.keyIdencryptMetadata对象。

The data encryption key must exist in the key vault specified as part of the auto encryption configuration options. 数据加密密钥必须存在于作为自动加密配置选项的一部分指定的密钥库中。The specified configuration options must also include appropriate access to the Key Management Service (KMS) and Customer Master Key (CMK) used to create the data key. 指定的配置选项还必须包括对用于创建数据密钥的密钥管理服务(KMS)和客户主密钥(CMK)的适当访问。Automatic encryption fails if the data encryption key does not exist or if the client cannot decrypt the key with the specified KMS and CMK.如果数据加密密钥不存在,或者客户端无法使用指定的KMS和CMK解密密钥,则自动加密失败。

Official MongoDB 4.2+ compatible drivers have language-specific requirements for specifying the UUID. 官方MongoDB 4.2+兼容驱动程序对指定UUID有特定语言的要求。Defer to the driver documentation for complete documentation on implementing client-side field level encryption.有关实现客户端字段级加密的完整文档,请参阅驱动程序文档

Examples示例

Automatically Encrypt Multiple Fields自动加密多个字段

Consider a collection MedCo.patients where each document has the following structure:考虑一个MedCo.patients集合,其中每个文档具有以下结构:

{
  "fname" : "<String>",
  "lname" : "<String>",
  "passportId" : "<String>",
  "bloodType" : "<String>",
  "medicalRecords" : [
    {<object>}
  ],
  "insurance" : {
    "policyNumber" : "<string>",
    "provider" : "<string>"
  }
}

The following fields contains personally identifiable information (PII) that may be queried:以下字段包含可查询的个人身份信息(PII):

  • passportId
  • bloodType
  • insurance.policyNumber
  • insurance.provider

The deterministic encryption algorithm guarantees that the encrypted output of a value remains static. 确定性加密算法保证值的加密输出保持静态。This allows queries for a specific value to return meaningful results at the cost of increased susceptibility to frequency analysis recovery. 这允许对特定值的查询返回有意义的结果,代价是增加对频率分析恢复的敏感性。The deterministic encryption algorithm therefore meets both the encryption and queryability requirements of the data.因此,确定性加密算法满足数据的加密和可查询性要求。

The following fields contain legally protected personally identifiable information (PII) that may never be queried:以下字段包含可能永远无法查询的受法律保护的个人身份信息(PII):

  • medicalRecords

The randomized encryption algorithm guarantees that the encrypted output of a value is always unique. 随机化加密算法保证值的加密输出始终唯一。This prevents queries for a specific field value from returning meaningful results while supporting the highest possible protection of the field contents. 这防止了对特定字段值的查询返回有意义的结果,同时支持对字段内容的最高可能保护。The randomized encryption algorithm therefore meets both the encryption and queryability requirements of the data.因此,随机化加密算法满足数据的加密和可查询性要求。

The following schema specifies automatic encryption rules which meet the above requirements for the MedCo.patients collection:以下模式指定了自动加密规则,这些规则满足MedCo.patients集合的上述要求:

{
  "MedCo.patients" : {
    "bsonType" : "object",
    "properties" : {
      "passportId" : {
        "encrypt" : {
          "keyId" : [UUID("bffb361b-30d3-42c0-b7a4-d24a272b72e3")],
          "algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
          "bsonType" : "string"
        }
      },
      "bloodType" : {
        "encrypt" : {
          "keyId" : [UUID("bffb361b-30d3-42c0-b7a4-d24a272b72e3")],
          "algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
          "bsonType" : "string"
        }
      },
      "medicalRecords" : {
        "encrypt" : {
          "keyId" : [UUID("f3821212-e697-4d65-b740-4a6791697c6d")],
          "algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Random",
          "bsonType" : "array"
        }
      },
      "insurance" : {
        "bsonType" : "object",
        "properties" : {
          "policyNumber" : {
            "encrypt" : {
              "keyId" : [UUID("bffb361b-30d3-42c0-b7a4-d24a272b72e3")],
              "algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
              "bsonType" : "string"
            }
          },
          "provider" : {
            "encrypt" : {
              "keyId" : [UUID("bffb361b-30d3-42c0-b7a4-d24a272b72e3")],
              "algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
              "bsonType" : "string"
            }
          }
        }
      }
    }
  }
}

The above automatic encryption rules mark the passportId, bloodType, insurance.policyNumber, insurance.provider, and medicalRecords fields for encryption.上述自动加密规则标记passportIdbloodTypeinsurance.policyNumberinsurance.providermedicalRecords字段进行加密。

  • The passportId, bloodType, insurance.policyNumber, and provider fields require deterministic encryption using the specified key.passportIdbloodTypeinsurance.policyNumberprovider字段需要使用指定密钥进行确定性加密。
  • The medicalRecords field requires randomized encryption using the specified key.medicalRecords字段需要使用指定密钥进行随机加密。

While client-side field level encryption does not support encrypting individual array elements, randomized encryption supports encrypting the entire array field rather than individual elements in the field. 虽然客户端字段级加密不支持加密单个数组元素,但随机化加密支持加密整个数组字段,而不是字段中的单个元素。The example automatic encryption rules specify randomized encryption for the medicalRecords field to encrypt the entire array. 示例自动加密规则为medicalRecords字段指定随机化加密,以加密整个数组。If the automatic encryption rules specified encrypt or encryptMetadata within medicalRecords.items or medicalRecords.additionalItems, automatic field level encryption fails and returns an errors.如果指定的自动加密规则在medicalRecords.itemsmedicalRecords.additionalItemsencryptencryptMetadata数据,则自动字段级加密失败并返回错误。

The official MongoDB 4.2+ compatible drivers, mongosh, and the 4.2 or later legacy mongo shell require specifying the automatic encryption rules as part of creating the database connection object:官方MongoDB 4.2+兼容驱动程序mongosh和4.2或更高版本的mongoshell要求在创建数据库连接对象时指定自动加密规则:

For all clients, the keyVault and kmsProviders specified to the client-side field level encryption parameter must grant access to both the data encryption keys specified in the automatic encryption rules and the Customer Master Key used to encrypt the data encryption keys.对于所有客户端,为客户端字段级加密参数指定的keyVaultkmsProviders必须授予对自动加密规则中指定的数据加密密钥和用于加密数据加密密钥的客户主密钥的访问权限。

Automatically Encrypt Multiple Fields With Inheritance使用继承自动加密多个字段

Consider a collection MedCo.patients where each document has the following structure:考虑一个MedCo.patients集合,其中每个文档具有以下结构:

{
  "fname" : "<String>",
  "lname" : "<String>",
  "passportId" : "<String>",
  "bloodType" : "<String>",
  "medicalRecords" : [
    {<object>}
  ],
  "insurance" : {
    "policyNumber" : "<string>",
    "provider" : "<string>"
  }
}

The following fields contain private data that may be queried:以下字段包含可以查询的私有数据:

  • passportId
  • bloodType
  • insurance.policyNumber
  • insurance.provider

The deterministic encryption algorithm guarantees that the encrypted output of a value remains static. 确定性加密算法保证值的加密输出保持静态。This allows queries for a specific value to return meaningful results at the cost of increased susceptibility to frequency analysis recovery. 这允许对特定值的查询返回有意义的结果,代价是增加对频率分析恢复的敏感性。The deterministic encryption algorithm therefore meets both the encryption and queryability requirements of the data.因此,确定性加密算法满足数据的加密和可查询性要求。

The following fields contain private data that may never be queried:以下字段包含可能永远无法查询的私有数据:

  • medicalRecords

The randomized encryption algorithm guarantees that the encrypted output of a value is always unique. 随机化加密算法保证值的加密输出始终唯一。This prevents queries for a specific field value from returning meaningful results while supporting the highest possible protection of the field contents. 这防止了对特定字段值的查询返回有意义的结果,同时支持对字段内容的最高可能保护。The randomized encryption algorithm therefore meets both the encryption and queryability requirements of the data.因此,随机化加密算法满足数据的加密和可查询性要求。

The following schema specifies automatic encryption rules which meet the encryption requirements for the MedCo.patients collection:以下模式指定了自动加密规则,这些规则满足MedCo.patients集合的加密要求:

{
  "MedCo.patients" : {
    "bsonType" : "object",
    "encryptMetadata" : {
      "keyId" : [UUID("6c512f5e-09bc-434f-b6db-c42eee30c6b1")],
      "algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
    },
    "properties" : {
      "passportId" : {
        "encrypt" : {
          "bsonType" : "string"
        }
      },
      "bloodType" : {
        "encrypt" : {
          "bsonType" : "string"
        }
      },
      "medicalRecords" : {
        "encrypt" : {
          "keyId" : [UUID("6c512f5e-09bc-434f-b6db-c42eee30c6b1")],
          "algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Random",
          "bsonType" : "array"
        }
      },
      "insurance" : {
        "bsonType" : "object",
        "properties" : {
          "policyNumber" : {
            "encrypt" : {
              "bsonType" : "string"
            }
          },
          "provider" : {
            "encrypt" : {
              "bsonType" : "string"
            }
          }
        }
      }
    }
  }
}

The above automatic encryption rules mark the passportId, bloodType, insurance.policyNumber, insurance.provider, and medicalRecords fields for encryption.上述自动加密规则标记passportIdbloodTypeinsurance.policyNumberinsurance.providermedicalRecords字段进行加密。

  • The passportId, bloodType, insurance.policyNumber, and provider fields inherit their encryption settings from the parent encryptMetadata field. passportIdbloodTypeinsurance.policyNumberprovider字段从父encryptMetadata字段继承其加密设置。Specifically, these fields inherit the algorithm and keyId values specifying deterministic encryption with the specified data encryption key.具体地说,这些字段继承algorithmkeyId值,这些值使用指定的数据加密密钥指定确定性加密。
  • The medicalRecords field requires randomized encryption using the specified key. medicalRecords字段需要使用指定密钥进行随机加密。The encrypt options override those specified in the parent encryptMetadata field.encrypt选项覆盖父encryptMetadata字段中指定的选项。

While client-side field level encryption does not support encrypting individual array elements, randomized encryption supports encrypting the entire array field rather than individual elements in the field. 虽然客户端字段级加密不支持加密单个数组元素,但随机化加密支持加密整个数组字段,而不是字段中的单个元素。The example automatic encryption rules specify randomized encryption for the medicalRecords field to encrypt the entire array. 示例自动加密规则为medicalRecords字段指定随机化加密,以加密整个数组。If the automatic encryption rules specified encrypt or encryptMetadata within medicalRecords.items or medicalRecords.additionalItems, automatic field level encryption fails and returns an errors.如果指定的自动加密规则在medicalRecords.itemsmedicalRecords.additionalItemsencryptencryptMetadata数据,则自动字段级加密失败并返回错误。

The official MongoDB 4.2+ compatible drivers, mongosh, and the 4.2 or later legacy mongo shell require specifying the automatic encryption rules as part of creating the database connection object:官方MongoDB 4.2+兼容驱动程序mongosh和4.2或更高版本的mongoshell要求在创建数据库连接对象时指定自动加密规则:

For all clients, the keyVault and kmsProviders specified to the client-side field level encryption parameter must grant access to both the data encryption keys specified in the automatic encryption rules and the Customer Master Key used to encrypt the data encryption keys.对于所有客户端,为客户端字段级加密参数指定的keyVaultkmsProviders必须授予对自动加密规则中指定的数据加密密钥和用于加密数据加密密钥的客户主密钥的访问权限。

←  Automatic Client-Side Field Level EncryptionRead/Write Support with Automatic Field Level Encryption →