On this page本页内容
The mongod only stores encrypted BinData and applies any aggregation expression or query operator specifying an encrypted field against the BinData value. mongod只存储加密的BinData,并应用任何聚合表达式或查询运算符,针对BinData值指定加密字段。While the expression or operator may support 虽然表达式或运算符可能支持BinData fields, the resulting value may be incorrect or unexpected when compared to issuing that same expression or operator against the decrypted value. BinData字段,但与针对解密值发出相同表达式或运算符相比,结果值可能不正确或意外。The 如果表达式或运算符不支持mongod throws an error if the expression or operator does not support BinData values.BinData值,mongod将抛出错误。
For example, consider a deterministically encrypted integer 例如,考虑一个确定性加密的整数Salary. Salary。A query filters for documents where 查询筛选Salary is greater than 100000. Salary大于100000的文档。The application explicitly (manually) encrypts the query value using deterministic encryption prior to issuing the query. 应用程序在发出查询之前使用确定性加密显式(手动)加密查询值。The mongod compares the encrypted BinData value of 100000 to the encrypted BinData values stored in each document. mongod将加密的BinData值100000与存储在每个文档中的加密的BinData进行比较。While the operation returns successfully, the comparison of the 当操作成功返回时,BinData values may return a different result than the comparison of the decrypted integer values.BinData值的比较可能返回与解密整数值的比较不同的结果。
Automatic client-side field level encryption rejects read or write operations which would return incorrect or unexpected results when issued against an encrypted field. 自动客户端字段级加密拒绝读取或写入操作,这些操作在针对加密字段发出时会返回错误或意外的结果。For complete documentation, see Read/Write Support with Automatic Field Level Encryption. 有关完整文档,请参阅自动字段级加密的读/写支持。Applications performing explicit (manual) encryption may reference the linked page as guidance for issuing read/write operations against encrypted fields.执行显式(手动)加密的应用程序可以引用链接页面作为针对加密字段发出读/写操作的指导。
Queries against views on collections containing client-side field level encrypted values may return unexpected or incorrect results if either the underlying view aggregation pipeline or the query references encrypted fields. 如果基础视图聚合管道或查询引用了加密字段,则对包含客户端字段级加密值的集合的视图进行查询可能会返回意外或不正确的结果。If creating a view on a collection containing client-side field level encrypted values, avoid operating on encrypted fields to mitigate the risk of unexpected or incorrect results.如果在包含客户端字段级加密值的集合上创建视图,请避免对加密字段进行操作,以降低意外或错误结果的风险。
While 4.2+ compatible drivers configured for automatic client-side field level encryption have validation for unsupported read and write operations, the underlying support library cannot introspect the view catalog to identify a given collection as a view. 虽然为自动客户端字段级加密配置的4.2+兼容驱动程序可以验证不支持的读写操作,但底层支持库无法内视视图目录以将给定集合标识为视图。Applications therefore cannot rely on the automatic field level encryption validation to prevent unsupported queries against views on collections with encrypted fields.因此,应用程序不能依赖自动字段级加密验证来防止对具有加密字段的集合的视图进行不支持的查询。
For applications using explicit (manual) encryption to query a view on a collection containing encrypted values, consider constructing the query using only query operators with known normal behavior when issued against encrypted fields.对于使用显式(手动)加密来查询包含加密值的集合上的视图的应用程序,请考虑在针对加密字段发出查询时仅使用具有已知正常行为的查询运算符来构造查询。
Client-side field level encryption does not respect user-specified collations or collection default collations. 客户端字段级加密不支持用户指定的排序规则或集合默认排序规则。Field level encryption obscures the field value and prevents normal collation behavior. 字段级加密会模糊字段值并阻止正常的排序行为。Collation-sensitive queries against encrypted fields may return unexpected or incorrect results.对加密字段的排序规则敏感查询可能会返回意外或不正确的结果。
While 4.2+ compatible drivers configured for automatic client-side field level encryption have validation for unsupported read and write operations, the underlying support library cannot introspect the collection catalog to identify the default collation. 虽然为自动客户端字段级加密配置的4.2+兼容驱动程序可以验证不支持的读写操作,但底层支持库无法检查集合目录以识别默认排序规则。Applications therefore cannot rely on the automatic field level encryption validation to prevent querying on encrypted fields with collation defaults.因此,应用程序不能依赖自动字段级加密验证来阻止查询具有排序规则默认值的加密字段。
Unique indexes cannot guarantee uniqueness if the index key specifies any randomly encrypted fields.如果索引密钥指定了任何随机加密的字段,则唯一索引不能保证唯一性。
Fields encrypted using the random algorithm always produce a different encrypted value given a specific input. 给定特定输入,使用随机算法加密的字段总是产生不同的加密值。The server considers each encrypted value unique even though the decrypted value itself is not unique. 服务器认为每个加密值是唯一的,即使解密值本身不是唯一的。The collection can therefore contain multiple documents with duplicate decrypted values for a field with an index-enforced unique constraint.因此,集合可以包含具有索引强制唯一约束的字段的具有重复解密值的多个文档。
While 4.2+ compatible drivers configured for automatic client-side field level encryption have validation for unsupported read and write operations, the underlying support library cannot introspect the index catalog to identify a given field as unique. 虽然为自动客户端字段级加密配置的4.2+兼容驱动程序可以验证不受支持的读写操作,但底层支持库无法检查索引目录以将给定字段标识为唯一字段。Applications therefore cannot rely on the automatic field level encryption validation to prevent unique constraint violations on randomly-encrypted fields.因此,应用程序不能依赖自动字段级加密验证来防止对随机加密字段的唯一约束冲突。
Specifying a shard key on encrypted fields or encrypting fields of an existing shard key may result in unexpected or incorrect sharding behavior.在加密字段上指定分片键或加密现有分片键的字段可能会导致意外或不正确的分片行为。
While 4.2+ compatible drivers configured for automatic client-side field level encryption have validation for unsupported read and write operations, the underlying support library cannot introspect the sharding catalog metadata to identify shard key fields. 虽然为自动客户端字段级加密配置的4.2+兼容驱动程序可以验证不受支持的读写操作,但底层支持库无法检查分片目录元数据以识别分片键字段。Applications therefore cannot rely on the automatic field level encryption validation to prevent encryption of shard key fields.因此,应用程序不能依赖自动字段级加密验证来防止分片键字段的加密。
Automatic client-side field level encryption supports a subset of commands, query operators, update operators, aggregation stages, and aggregation expressions. 自动客户端字段级加密支持命令、查询运算符、更新运算符、聚合阶段和聚合表达式的子集。For complete documentation, see Read/Write Support with Automatic Field Level Encryption.有关完整文档,请参阅自动字段级加密的读/写支持。