Manage Data Encryption Keys管理数据加密密钥

On this page本页内容

New in version 4.2.在版本4.2中新增

Client-side field level encryption uses data encryption keys for encryption and decryption. 客户端字段级加密使用数据加密密钥进行加密和解密。The mongosh helper method getKeyVault() returns a key vault object for creating, modifying, and deleting data encryption keys.mongosh助手方法getKeyVault()返回用于创建、修改和删除数据加密密钥的密钥库对象。

This page documents client-side field level encryption using mongosh, and does not refer to any official MongoDB 4.2+ compatible driver. 本页记录了使用mongosh的客户端字段级加密,并没有引用任何官方MongoDB 4.2+兼容驱动程序。See the relevant documentation for driver-specific data encryption key management methods and syntax.有关驱动程序特定的数据加密密钥管理方法和语法,请参阅相关文档

Create a Data Encryption Key创建数据加密密钥

The following procedure uses mongosh to create a data encryption key for use with client-side field level encryption and decryption. 以下过程使用mongosh创建用于客户端字段级加密和解密的数据加密密钥。For guidance on data encryption key management using a 4.2+ compatible driver, see the driver documentation instead.有关使用4.2+兼容驱动程序进行数据加密密钥管理的指导,请参阅驱动程序文档

Use the tabs below to select the KMS appropriate for your deployment:使用以下选项卡选择适合您的部署的KMS:

1

Launch mongosh.启动mongosh

Configuring client-side field level encryption for the AWS KMS requires an AWS Access Key ID and its associated Secret Access Key. 为AWS KMS配置客户端字段级加密需要AWS访问密钥ID及其关联的秘密访问密钥。The AWS Access Key must correspond to an IAM user with all List and Read permissions for the KMS service.AWS访问密钥必须与具有KMS服务的所有ListRead权限的IAM用户相对应。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

First, ensure that you have configured the following environment variables according to your platform's documentation:首先,确保已根据平台文档配置了以下环境变量:

  • AWS_ACCESS_KEY_ID

  • AWS_SECRET_ACCESS_KEY

Next, create mongosh session using the --eval, --shell, and --nodb options:接下来,使用--eval--shell--nodb选项创建mongosh会话:

mongosh --eval "
    var AWS_ACCESS_KEY_ID = '$AWS_ACCESS_KEY_ID'
    var AWS_SECRET_ACCESS_KEY = '$AWS_SECRET_ACCESS_KEY'
  " \
  --shell --nodb

This example opens mongosh without a connection to a MongoDB database. 本例打开mongosh时没有连接到MongoDB数据库。The --eval option sets the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY variables in mongosh to the value of the corresponding environment variables. --eval选项将mongosh中的AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY变量设置为相应环境变量的值。The specified variables are also supported by the AWS CLI.AWS CLI也支持指定的变量。

2

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "aws" : {
      "accessKeyId" : AWS_ACCESS_KEY_ID,
      "secretAccessKey" : AWS_SECRET_ACCESS_KEY
    }
  }
}
3

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密 shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

4

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. getKeyVault()keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().不要删除由getKeyVault()创建的唯一索引

5

Create the Data Encryption Key.创建数据加密密钥。

Use the KeyVault.createKey() method on the keyVault object to create a new data encryption key in the key vault:keyVault对象使用KeyVault.createKey()方法在密钥库中创建新的数据加密密钥:

keyVault.createKey(
  "aws",
  "arn:aws:kms:region:account:key/keystring",
  [ "keyAlternateName" ]
)

Where:其中:

  • The first parameter must be "aws" to specify the configured Amazon Web Services KMS.第一个参数必须"aws",以指定已配置的Amazon Web Services KMS。

  • The second parameter must be the full Amazon Resource Name (ARN) of the Customer Master Key (CMK). 第二个参数必须是客户主密钥(CMK)的完整亚马逊资源名称(ARN)MongoDB uses the specified CMK to encrypt the data encryption key.MongoDB使用指定的CMK加密数据加密密钥。

  • The third parameter may be an array of one or more keyAltNames for the data encryption key. 第三参数可以是数据加密密钥的一个或多个keyAltNames的数组。Each key alternate name must be unique. 每个密钥备用名称必须是唯一的。getKeyVault() creates a unique index on keyAltNames to enforce uniqueness on the field if one does not already exist. getKeyVault()keyAltNames上创建一个唯一索引,以强制字段的唯一性(如果不存在)。Key alternate names facilitate data encryption key findability.密钥替代名称有助于数据加密密钥的查找。

If successful, createKey() returns the UUID of the new data encryption key. 如果成功,createKey()将返回新数据加密密钥的UUID。The UUID is a BSON Binary (BinData) object with subtype 4 that uniquely identifies the data encryption key. UUID是一个BSONBinary (BinData)对象,其子类型4唯一标识数据加密密钥。The UUID string is the hexadecimal representation of the underlying binary data.UUID字符串是基础二进制数据的十六进制表示。

If you are providing the data encryption key to an official 4.2+ compatible driver in order to configure automatic client-side field level encryption, you must use the base64 representation of the UUID string.如果要向官方的4.2+兼容驱动程序提供数据加密密钥以配置自动客户端字段级加密,则必须使用UUID字符串的base64表示。

You can run the following operation in mongosh to convert a UUID hexadecimal string to its base64 representation:您可以在mongosh中运行以下操作,将UUID十六进制字符串转换为其base64表示形式:

UUID("b4b41b33-5c97-412e-a02b-743498346079").base64()

Supply the UUID of your own data encryption key to this command, as returned from createKey() above, or as described in Retrieve an Existing Data Encryption Key.向该命令提供您自己的数据加密密钥的UUID,如从上面的createKey()返回的,或如检索现有数据加密密钥中所述。

1

Launch mongosh.启动mongosh

Configuring client-side field level encryption for Azure Key Vault requires a valid Tenant ID, Client ID, and Client Secret.为Azure密钥库配置客户端字段级加密需要有效的租户ID、客户端ID和客户端密钥。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

First, ensure that you have configured the following environment variables according to your platform's documentation:首先,确保已根据平台文档配置了以下环境变量:

  • AZURE_TENANT_ID

  • AZURE_CLIENT_ID

  • AZURE_CLIENT_SECRET

Next, create a mongosh session using the --eval, --shell, and --nodb options:接下来,使用--eval--shell--nodb选项创建mongosh会话:

mongosh --eval "
    var AZURE_TENANT_ID = '$AZURE_TENANT_ID'
    var AZURE_CLIENT_ID = '$AZURE_CLIENT_ID'
    var AZURE_CLIENT_SECRET = '$AZURE_CLIENT_SECRET'
  " \
  --shell --nodb

This example opens mongosh without a connection to a MongoDB database. 本例打开mongosh时没有连接到MongoDB数据库。The --eval option sets the AZURE_TENANT_ID, and AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET variables in mongosh to the value of the corresponding environment variables.--eval选项将mongosh中的AZURE_TENANT_IDAZURE_CLIENT_IDAZURE_CLEENT_SECRET变量设置为相应环境变量的值。

2

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "azure" : {
      "tenantId" : AZURE_TENANT_ID,
      "clientId" : AZURE_CLIENT_ID,
      "clientSecret" : AZURE_CLIENT_SECRET
    }
  }
}
3

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密 shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

4

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. getKeyVault()keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().不要删除由getKeyVault()创建的唯一索引

5

Create the Data Encryption Key.创建数据加密密钥。

Use the KeyVault.createKey() method on the keyVault object to create a new data encryption key in the key vault:keyVault对象使用 KeyVault.createKey()方法在密钥库中创建新的数据加密密钥:

keyVault.createKey(
  "azure",
  { keyName: "keyvaultname", keyVaultEndpoint: "endpointname" },
  [ "keyAlternateName" ]
)

Where:其中:

  • The first parameter must be "azure" to specify the configured Azure Key Vault.第一个参数必须是"azure"才能指定配置的azure密钥库。

  • The second parameter must be a document containing:第二个参数必须是包含以下内容的文档:

    • the name of your Azure Key VaultAzure密钥库的名称

    • the DNS name of the Azure Key Vault to use (e.g. my-key-vault.vault.azure.net)要使用的Azure Key Vault的DNS名称(例如,my-key-vault.vault.azure.net

  • The third parameter may be an array of one or more keyAltNames for the data encryption key. 第三参数可以是数据加密密钥的一个或多个keyAltNames的数组。Each key alternate name must be unique. 每个密钥备用名称必须是唯一的。getKeyVault() creates a unique index on keyAltNames to enforce uniqueness on the field if one does not already exist. getKeyVault()keyAltNames上创建一个唯一索引(如果不存在),以强制字段的唯一性。Key alternate names facilitate data encryption key findability.密钥替代名称有助于数据加密密钥的查找。

If successful, createKey() returns the UUID of the new data encryption key. 如果成功,createKey()将返回新数据加密密钥的UUIDThe UUID is a BSON Binary (BinData) object with subtype 4 that uniquely identifies the data encryption key. UUID是一个BSONBinary (BinData)对象,其子类型4唯一标识数据加密密钥。The UUID string is the hexadecimal representation of the underlying binary data.UUID字符串是基础二进制数据的十六进制表示。

If you are providing the data encryption key to an official 4.2+ compatible driver in order to configure automatic client-side field level encryption, you must use the base64 representation of the UUID string.如果要向官方的4.2+兼容驱动程序提供数据加密密钥以配置自动客户端字段级加密,则必须使用UUID字符串的base64表示。

You can run the following operation in mongosh to convert a UUID hexadecimal string to its base64 representation:您可以在mongosh中运行以下操作,将UUID十六进制字符串转换为其base64表示形式:

UUID("b4b41b33-5c97-412e-a02b-743498346079").base64()

Supply the UUID of your own data encryption key to this command, as returned from createKey() above, or as described in Retrieve an Existing Data Encryption Key.向该命令提供您自己的数据加密密钥的UUID,如从上面的createKey()返回的,或如检索现有数据加密密钥中所述。

1

Launch mongosh.启动mongosh

Configuring client-side field level encryption for the GCP KMS requires your GCP Email and its associated Private Key.为GCP KMS配置客户端字段级加密需要GCP电子邮件及其相关私钥。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

First, ensure that you have configured the following environment variables according to your platform's documentation:首先,确保已根据平台文档配置了以下环境变量:

  • GCP_EMAIL

  • GCP_PRIVATEKEY

Next, create a mongosh session using the --eval, --shell, and --nodb options:接下来,使用--eval--shell--nodb选项创建mongosh会话:

mongosh --eval "
    var GCP_EMAIL = '$GCP_EMAIL'
    var GCP_PRIVATEKEY = '$GCP_PRIVATEKEY'
  " \
  --shell --nodb

This example opens mongosh without a connection to a MongoDB database. 本例打开mongosh时没有连接到MongoDB数据库。The --eval option sets the GCP_EMAIL and GCP_PRIVATEKEY variables in mongosh to the value of the corresponding environment variables.--eval选项将mongosh中的GCP_EMAILGCP_PRIVATEKEY变量设置为相应环境变量的值。

2

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "gcp" : {
      "email" : GCP_EMAIL,
      "privateKey" : GCP_PRIVATEKEY
    }
  }
}
3

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

4

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. getKeyVault()keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().不要删除由getKeyVault()创建的唯一索引

5

Create the Data Encryption Key.创建数据加密密钥。

Use the KeyVault.createKey() method on the keyVault object to create a new data encryption key in the key vault:keyVault对象使用KeyVault.createKey()方法在密钥库中创建新的数据加密密钥:

keyVault.createKey(
  "gcp",
  {
    projectId: "projectid",
    location: "locationname",
    keyRing: "keyringname",
    keyName: "keyname"
  },
  [ "keyAlternateName" ]
)

Where:其中:

  • The first parameter must be "gcp" to specify the configured Google Cloud KMS.第一个参数必须是"gcp",以指定配置的Google Cloud KMS。

  • The second parameter must be a document containing第二个参数必须是包含

    • projectid is the name of your GCP project, such as my-project是您的GCP项目的名称,例如my-project

    • locationname is the location of the KMS keyring, such as 是KMS钥匙环的位置,例如global

    • keyringname is the name of the KMS keyring, such as 是KMS密钥环的名称,例如my-keyring

    • keyname is the name of your key.是密钥的名称。

  • The third parameter may be an array of one or more keyAltNames for the data encryption key. 第三参数可以是数据加密密钥的一个或多个keyAltNames的数组。Each key alternate name must be unique. 每个密钥备用名称必须是唯一的。getKeyVault() creates a unique index on keyAltNames to enforce uniqueness on the field if one does not already exist. getKeyVault()keyAltNames上创建一个唯一索引(如果不存在),以强制字段的唯一性。Key alternate names facilitate data encryption key findability.密钥替代名称有助于数据加密密钥的查找。

If successful, createKey() returns the UUID of the new data encryption key. 如果成功,createKey()将返回新数据加密密钥的UUIDThe UUID is a BSON Binary (BinData) object with subtype 4 that uniquely identifies the data encryption key. UUID是一个BSONBinary (BinData)对象,其子类型4唯一标识数据加密密钥。The UUID string is the hexadecimal representation of the underlying binary data.UUID字符串是基础二进制数据的十六进制表示。

If you are providing the data encryption key to an official 4.2+ compatible driver in order to configure automatic client-side field level encryption, you must use the base64 representation of the UUID string.如果要向官方的4.2+兼容驱动程序提供数据加密密钥以配置自动客户端字段级加密,则必须使用UUID字符串的base64表示。

You can run the following operation in mongosh to convert a UUID hexadecimal string to its base64 representation:您可以在mongosh中运行以下操作,将UUID十六进制字符串转换为其base64表示形式:

UUID("b4b41b33-5c97-412e-a02b-743498346079").base64()

Supply the UUID of your own data encryption key to this command, as returned from createKey() above, or as described in Retrieve an Existing Data Encryption Key.向该命令提供您自己的数据加密密钥的UUID,如从上面的createKey()返回的,或如检索现有数据加密密钥中所述。

1

Generate an Encryption Key.生成加密密钥。

Configuring client-side field level encryption for a locally-managed key requires specifying a base64-encoded 96-byte string with no line breaks.为本地管理的密钥配置客户端字段级加密需要指定不带换行符的base64编码的96字节字符串。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

The following operation generates a key that meets the stated requirements and adds it to the user's ~/.profile. 以下操作生成满足所述要求的密钥,并将其添加到用户的~/.profile中。If the key DEV_LOCAL_KEY already exists, skip this operation.如果密钥DEV_LOCAL_KEY已经存在,请跳过此操作。

echo "export DEV_LOCAL_KEY=\"$(head -c 96 /dev/urandom | base64 | tr -d '\n')\"" >> ~/.profile

The host operating system may require logging out and back in to refresh the loaded environment variables. 主机操作系统可能需要注销并重新登录以刷新加载的环境变量。Alternatively, you can use the command source ~/.profile to manually refresh the shell.或者,可以使用命令source ~/.profile手动刷新shell。

Note注意

Your specific host operating system or shell may have different procedures for setting persistent environment variables. 特定的主机操作系统或shell可能有不同的设置持久环境变量的过程。Defer to the documentation for your host OS or shell for a more specific procedure as appropriate.请参阅主机操作系统或shell的文档,以了解更具体的过程。

2

Launch mongosh.启动mongosh

Create a mongosh session using the --eval, --shell, and --nodb options:

mongosh --eval "var LOCAL_KEY = '$DEV_LOCAL_KEY' " \
  --shell --nodb

The example automatically opens mongosh without a connection to a MongoDB database. 该示例自动打开mongosh,无需连接MongoDB数据库。The --eval option sets the LOCAL_KEY variable in mongosh to the value of the corresponding environment variable.--eval选项将mongosh中的LOCAL_KEY变量设置为相应环境变量的值。

3

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0, LOCAL_KEY)
    }
  }
}
4

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

5

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. getKeyVault()keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().不要删除由getKeyVault()创建的唯一索引

6

Create the Data Encryption Key.创建数据加密密钥。

Use the KeyVault.createKey() method on the keyVault object to create a new data encryption key in the key vault:keyVault对象使用KeyVault.createKey()方法在密钥库中创建新的数据加密密钥:

keyVault.createKey(
  "local",
  [ "keyAlternateName" ]
)

Where:其中:

  • The first parameter must be local to specify the configured locally managed key.第一个参数必须是本地的,以指定配置的本地管理密钥。

  • The second parameter may be an array of one or more keyAltNames for the data encryption key. 第二参数可以是数据加密密钥的一个或多个keyAltNames的数组。Each key alternate name must be unique. 每个密钥备用名称必须是唯一的。getKeyVault() creates a unique index on keyAltNames to enforce uniqueness on the field if one does not already exist. getKeyVault()keyAltNames上创建一个唯一索引,以强制字段的唯一性(如果不存在)。Key alternate names facilitate data encryption key findability.密钥替代名称有助于数据加密密钥的查找。

Note注意

Prior to MongoDB 4.2.3, creating a local key required specifying an empty string "" as the second parameter and the optional array of keyAltNames as the third parameter.在MongoDB 4.2.3之前,创建本地密钥需要将空字符串""指定为第二个参数,将可选的keyAltNames数组指定为第三个参数。

If successful, createKey() returns the UUID of the new data encryption key. 如果成功,createKey()将返回新数据加密密钥的UUIDThe UUID is a BSON Binary (BinData) object with subtype 4 that uniquely identifies the data encryption key. UUID是一个BSONBinary (BinData)对象,其子类型4唯一标识数据加密密钥。The UUID string is the hexadecimal representation of the underlying binary data.UUID字符串是基础二进制数据的十六进制表示。

If you are providing the data encryption key to an official 4.2+ compatible driver in order to configure automatic client-side field level encryption, you must use the base64 representation of the UUID string.如果要向官方的4.2+兼容驱动程序提供数据加密密钥以配置自动客户端字段级加密,则必须使用UUID字符串的base64表示。

You can run the following operation in mongosh to convert a UUID hexadecimal string to its base64 representation:您可以在mongosh中运行以下操作,将UUID十六进制字符串转换为其base64表示形式:

UUID("b4b41b33-5c97-412e-a02b-743498346079").base64()

Supply the UUID of your own data encryption key to this command, as returned from createKey() above, or as described in Retrieve an Existing Data Encryption Key.向该命令提供您自己的数据加密密钥的UUID,如从上面的createKey()返回的,或如检索现有数据加密密钥中所述。

Manage a Data Encryption Key's Alternate Name管理数据加密密钥的备用名称

The following procedure uses mongosh to manage the alternate names of a data encryption key. 以下过程使用mongosh管理数据加密密钥的备用名称。For guidance on data encryption key management using a 4.2+ compatible driver, see the driver documentation instead.有关使用4.2+兼容驱动程序进行数据加密密钥管理的指导,请参阅驱动程序文档

If you are still within your configured mongosh session from the Create a Data Encryption Key steps above, you can skip directly to step 5.如果您仍然在上述创建数据加密密钥步骤中配置的mongosh会话中,则可以直接跳到步骤5。

Use the tabs below to select the KMS appropriate for your deployment:使用以下选项卡选择适合您的部署的KMS:

1

Launch mongosh.启动mongosh

Configuring client-side field level encryption for the AWS KMS requires an AWS Access Key ID and its associated Secret Access Key. 为AWS KMS配置客户端字段级加密需要AWS访问密钥ID及其关联的秘密访问密钥。The AWS Access Key must correspond to an IAM user with all List and Read permissions for the KMS service.AWS访问密钥必须与具有KMS服务的所有ListRead权限的IAM用户相对应。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

First, ensure that you have configured the following environment variables according to your platform's documentation:首先,确保已根据平台文档配置了以下环境变量:

  • AWS_ACCESS_KEY_ID

  • AWS_SECRET_ACCESS_KEY

Next, create mongosh session using the --eval, --shell, and --nodb options:接下来,使用--eval--shell--nodb选项创建mongosh会话:

mongosh --eval "
    var AWS_ACCESS_KEY_ID = '$AWS_ACCESS_KEY_ID'
    var AWS_SECRET_ACCESS_KEY = '$AWS_SECRET_ACCESS_KEY'
  " \
  --shell --nodb

This example opens mongosh without a connection to a MongoDB database. 本例打开mongosh时没有连接到MongoDB数据库。The --eval option sets the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY variables in mongosh to the value of the corresponding environment variables. --eval选项将mongosh中的AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY变量设置为相应环境变量的值。The specified variables are also supported by the AWS CLI.AWS CLI也支持指定的变量。

2

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "aws" : {
      "accessKeyId" : AWS_ACCESS_KEY_ID,
      "secretAccessKey" : AWS_SECRET_ACCESS_KEY
    }
  }
}
3

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密 shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

4

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. getKeyVault()keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().不要删除由getKeyVault()创建的唯一索引

5

Manage the Data Encryption Key's Alternate Name.管理数据加密密钥的备用名称。

Use the steps below to either add or remove an existing Key Alternate Name.使用以下步骤添加或删除现有密钥备用名称。

Add Key Alternate Name添加密钥备用名称
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。Validate that a unique index exists on keyAltNames prior to adding a new key alternate name. 在添加新的密钥替代名称之前,验证keyAltNames上是否存在唯一索引。If the unique index was dropped, you must re-create it prior to adding any key alternate names.如果删除了唯一索引,则必须在添加任何键替代名称之前重新创建它。

Use the KeyVault.addKeyAlternateName() to add a new alternate name to a data encryption key:使用KeyVault.addKeyAlternateName()为数据加密密钥添加新的备用名称:

keyVault.addKeyAlternateName(
  UUID("<Replace Me With The UUID Of The Key To Modify"),
  "NewKeyAltNameForMyFirstCSFLEDataKey"
)

Where:其中:

  • The first parameter must be the UUID of the data encryption key to modify.第一个参数必须是要修改的数据加密密钥的UUID。

  • The second parameter must be a unique string. 第二个参数必须是唯一的字符串。getKeyVault() creates a unique index on keyAltNames to enforce uniqueness of key alternate names.keyAltNames上创建唯一索引,以强制密钥备用名称的唯一性。

KeyVault.addKeyAlternateName() returns the data encryption key document prior to modification. 返回修改前的数据加密密钥文档。Use KeyVault.getKey() to retrieve the modified data encryption key.使用KeyVault.getKey()检索修改的数据加密密钥。

Remove Key Alternate Name删除密钥备用名称

Use the KeyVault.removeKeyAlternateName() to remove a key alternate name from a data encryption key:使用KeyVault.removeKeyAlternateName()从数据加密密钥中删除密钥备用名:

keyVault.removeKeyAlternateName(
  UUID("<Replace Me With The UUID Of The Key To Modify"),
  "NewKeyAltNameForMyFirstCSFLEDataKey"
)

Where:其中:

  • The first parameter must be the UUID of the data encryption key to modify.第一个参数必须是要修改的数据加密密钥的UUID

  • The second parameter must be a string key alternate name.第二个参数必须是字符串键替代名称。

KeyVault.removeKeyAlternateName() returns the data encryption key prior to modification. 返回修改前的数据加密密钥。Use KeyVault.getKey() to retrieve the modified data encryption key.使用KeyVault.getKey()检索修改的数据加密密钥。

1

Launch mongosh.启动mongosh

Configuring client-side field level encryption for Azure Key Vault requires a valid Tenant ID, Client ID, and Client Secret.为Azure密钥库配置客户端字段级加密需要有效的租户ID、客户端ID和客户端密钥。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

First, ensure that you have configured the following environment variables according to your platform's documentation:首先,确保已根据平台文档配置了以下环境变量:

  • AZURE_TENANT_ID

  • AZURE_CLIENT_ID

  • AZURE_CLIENT_SECRET

Next, create a mongosh session using the --eval, --shell, and --nodb options:接下来,使用--eval--shell--nodb选项创建mongosh会话:

mongosh --eval "
    var AZURE_TENANT_ID = '$AZURE_TENANT_ID'
    var AZURE_CLIENT_ID = '$AZURE_CLIENT_ID'
    var AZURE_CLIENT_SECRET = '$AZURE_CLIENT_SECRET'
  " \
  --shell --nodb

This example opens mongosh without a connection to a MongoDB database. 本例打开mongosh时没有连接到MongoDB数据库。The --eval option sets the AZURE_TENANT_ID, and AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET variables in mongosh to the value of the corresponding environment variables.--eval选项将mongosh中的AZURE_TENANT_IDAZURE_CLIENT_IDAZURE_CLEENT_SECRET变量设置为相应环境变量的值。

2

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "azure" : {
      "tenantId" : AZURE_TENANT_ID,
      "clientId" : AZURE_CLIENT_ID,
      "clientSecret" : AZURE_CLIENT_SECRET
    }
  }
}
3

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密 shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

4

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. getKeyVault()在keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().不要删除由getKeyVault()创建的唯一索引

5

Manage the Data Encryption Key's Alternate Name.管理数据加密密钥的备用名称。

Use the steps below to either add or remove an existing Key Alternate Name.使用以下步骤添加或删除现有密钥备用名称。

Add Key Alternate Name添加密钥备用名称
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。Validate that a unique index exists on keyAltNames prior to adding a new key alternate name. 在添加新的密钥替代名称之前,验证keyAltNames上是否存在唯一索引。If the unique index was dropped, you must re-create it prior to adding any key alternate names.如果删除了唯一索引,则必须在添加任何键替代名称之前重新创建它。

Use the KeyVault.addKeyAlternateName() to add a new alternate name to a data encryption key:使用KeyVault.addKeyAlternateName()为数据加密密钥添加新的备用名称:

keyVault.addKeyAlternateName(
  UUID("<Replace Me With The UUID Of The Key To Modify"),
  "NewKeyAltNameForMyFirstCSFLEDataKey"
)

Where:其中:

  • The first parameter must be the UUID of the data encryption key to modify.第一个参数必须是要修改的数据加密密钥的UUID

  • The second parameter must be a unique string. 第二个参数必须是唯一的字符串。getKeyVault() creates a unique index on keyAltNames to enforce uniqueness of key alternate names.getKeyVault()keyAltNames上创建唯一索引,以强制密钥替代名称的唯一性。

KeyVault.addKeyAlternateName() returns the data encryption key document prior to modification. KeyVault.addKeyAlternateName()返回修改前的数据加密密钥文档。Use KeyVault.getKey() to retrieve the modified data encryption key.使用KeyVault.getKey()检索修改的数据加密密钥。

Remove Key Alternate Name

Use the KeyVault.removeKeyAlternateName() to remove a key alternate name from a data encryption key:使用KeyVault.removeKeyAlternateName()从数据加密密钥中删除密钥替代名称:

keyVault.removeKeyAlternateName(
  UUID("<Replace Me With The UUID Of The Key To Modify"),
  "NewKeyAltNameForMyFirstCSFLEDataKey"
)

Where:其中:

  • The first parameter must be the UUID of the data encryption key to modify.第一个参数必须是要修改的数据加密密钥的UUID。

  • The second parameter must be a string key alternate name.第二个参数必须是字符串键替代名称。

KeyVault.removeKeyAlternateName() returns the data encryption key prior to modification. 返回修改前的数据加密密钥。Use KeyVault.getKey() to retrieve the modified data encryption key.使用KeyVault.getKey()检索修改的数据加密密钥。

1

Launch mongosh.启动mongosh

Configuring client-side field level encryption for the GCP KMS requires your GCP Email and its associated Private Key.为GCP KMS配置客户端字段级加密需要GCP电子邮件及其相关私钥。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

First, ensure that you have configured the following environment variables according to your platform's documentation:首先,确保已根据平台文档配置了以下环境变量:

  • GCP_EMAIL

  • GCP_PRIVATEKEY

Next, create a mongosh session using the --eval, --shell, and --nodb options:接下来,使用--eval--shell--nodb选项创建mongosh会话:

mongosh --eval "
    var GCP_EMAIL = '$GCP_EMAIL'
    var GCP_PRIVATEKEY = '$GCP_PRIVATEKEY'
  " \
  --shell --nodb

This example opens mongosh without a connection to a MongoDB database. 本例打开mongosh时没有连接到MongoDB数据库。The --eval option sets the GCP_EMAIL and GCP_PRIVATEKEY variables in mongosh to the value of the corresponding environment variables.--eval选项将mongosh中的GCP_EMAILGCP_PRIVATEKEY变量设置为相应环境变量的值。

2

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "gcp" : {
      "email" : GCP_EMAIL,
      "privateKey" : GCP_PRIVATEKEY
    }
  }
}
3

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

4

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. getKeyVault()keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().不要删除由getKeyVault()创建的唯一索引

5

Manage the Data Encryption Key's Alternate Name.管理数据加密密钥的备用名称。

Use the steps below to either add or remove an existing Key Alternate Name.使用以下步骤添加或删除现有密钥备用名称。

Add Key Alternate Name添加密钥备用名称
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。Validate that a unique index exists on keyAltNames prior to adding a new key alternate name. 在添加新的密钥替代名称之前,验证keyAltNames上是否存在唯一索引。If the unique index was dropped, you must re-create it prior to adding any key alternate names.如果删除了唯一索引,则必须在添加任何键替代名称之前重新创建它。

Use the KeyVault.addKeyAlternateName() to add a new alternate name to a data encryption key:使用KeyVault.addKeyAlternateName()为数据加密密钥添加新的备用名称:

keyVault.addKeyAlternateName(
  UUID("<Replace Me With The UUID Of The Key To Modify"),
  "NewKeyAltNameForMyFirstCSFLEDataKey"
)

Where:其中:

  • The first parameter must be the UUID of the data encryption key to modify.第一个参数必须是要修改的数据加密密钥的UUID

  • The second parameter must be a unique string. 第二个参数必须是唯一的字符串。getKeyVault() creates a unique index on keyAltNames to enforce uniqueness of key alternate names.getKeyVault()keyAltNames上创建唯一索引,以强制密钥替代名称的唯一性。

KeyVault.addKeyAlternateName() returns the data encryption key document prior to modification. 返回修改前的数据加密密钥文档。Use KeyVault.getKey() to retrieve the modified data encryption key.使用KeyVault.getKey()检索修改的数据加密密钥。

Remove Key Alternate Name删除密钥备用名称

Use the KeyVault.removeKeyAlternateName() to remove a key alternate name from a data encryption key:使用KeyVault.removeKeyAlternateName()从数据加密密钥中删除密钥替代名称:

keyVault.removeKeyAlternateName(
  UUID("<Replace Me With The UUID Of The Key To Modify"),
  "NewKeyAltNameForMyFirstCSFLEDataKey"
)

Where:其中:

  • The first parameter must be the UUID of the data encryption key to modify.第一个参数必须是要修改的数据加密密钥的UUID。

  • The second parameter must be a string key alternate name.第二个参数必须是字符串键替代名称。

KeyVault.removeKeyAlternateName() returns the data encryption key prior to modification. 返回修改前的数据加密密钥。Use KeyVault.getKey() to retrieve the modified data encryption key.使用KeyVault.getKey()检索修改的数据加密密钥。

1

Generate an Encryption Key.生成加密密钥。

Configuring client-side field level encryption for a locally-managed key requires specifying a base64-encoded 96-byte string with no line breaks.为本地管理的密钥配置客户端字段级加密需要指定不带换行符的base64编码的96字节字符串。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

The following operation generates a key that meets the stated requirements and adds it to the user's ~/.profile. 以下操作生成满足所述要求的密钥,并将其添加到用户的~/.profile中。If the key DEV_LOCAL_KEY already exists, skip this operation.如果密钥DEV_LOCAL_KEY已经存在,请跳过此操作。

echo "export DEV_LOCAL_KEY=\"$(head -c 96 /dev/urandom | base64 | tr -d '\n')\"" >> ~/.profile

The host operating system may require logging out and back in to refresh the loaded environment variables. 主机操作系统可能需要注销并重新登录以刷新加载的环境变量。Alternatively, you can use the command source ~/.profile to manually refresh the shell.或者,可以使用命令source ~/.profile手动刷新shell。

Note注意

Your specific host operating system or shell may have different procedures for setting persistent environment variables. 特定的主机操作系统或shell可能有不同的设置持久环境变量的过程。Defer to the documentation for your host OS or shell for a more specific procedure as appropriate.请参阅主机操作系统或shell的文档,以了解更具体的过程。

2

Launch mongosh.启动mongosh

Create a mongosh session using the --eval, --shell, and --nodb options:使用--eval--shell--nodb选项创建mongosh会话:

mongosh --eval "var LOCAL_KEY = '$DEV_LOCAL_KEY' " \
  --shell --nodb

The example automatically opens mongosh without a connection to a MongoDB database. 该示例自动打开mongosh,无需连接MongoDB数据库。The --eval option sets the LOCAL_KEY variable in mongosh to the value of the corresponding environment variable.--eval选项将mongosh中的LOCAL_KEY变量设置为相应环境变量的值。

3

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0, LOCAL_KEY)
    }
  }
}
4

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

5

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. getKeyVault()keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().不要删除由getKeyVault()创建的唯一索引

6

Manage the Data Encryption Key's Alternate Name.管理数据加密密钥的备用名称。

Use the steps below to either add or remove an existing Key Alternate Name.使用以下步骤添加或删除现有密钥备用名称。

Add Key Alternate Name添加密钥备用名称
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。Validate that a unique index exists on keyAltNames prior to adding a new key alternate name. 在添加新的密钥替代名称之前,验证keyAltNames上是否存在唯一索引。If the unique index was dropped, you must re-create it prior to adding any key alternate names.如果删除了唯一索引,则必须在添加任何键替代名称之前重新创建它。

Use the KeyVault.addKeyAlternateName() to add a new alternate name to a data encryption key:使用KeyVault.addKeyAlternateName()为数据加密密钥添加新的备用名称:

keyVault.addKeyAlternateName(
  UUID("<Replace Me With The UUID Of The Key To Modify"),
  "NewKeyAltNameForMyFirstCSFLEDataKey"
)

Where:其中:

  • The first parameter must be the UUID of the data encryption key to modify.第一个参数必须是要修改的数据加密密钥的UUID

  • The second parameter must be a unique string. getKeyVault() creates a unique index on keyAltNames to enforce uniqueness of key alternate names.

KeyVault.addKeyAlternateName() returns the data encryption key document prior to modification. Use KeyVault.getKey() to retrieve the modified data encryption key.

Remove Key Alternate Name

Use the KeyVault.removeKeyAlternateName() to remove a key alternate name from a data encryption key:

keyVault.removeKeyAlternateName(
  UUID("<Replace Me With The UUID Of The Key To Modify"),
  "NewKeyAltNameForMyFirstCSFLEDataKey"
)

Where:其中:

  • The first parameter must be the UUID of the data encryption key to modify.第一个参数必须是要修改的数据加密密钥的UUID。

  • The second parameter must be a string key alternate name.第二个参数必须是字符串键替代名称。

KeyVault.removeKeyAlternateName() returns the data encryption key prior to modification. 返回修改前的数据加密密钥。Use KeyVault.getKey() to retrieve the modified data encryption key.使用KeyVault.getKey()检索修改的数据加密密钥。

Remove a Data Encryption Key删除数据加密密钥

Warning警告

Deleting a data encryption key renders all fields encrypted using that key as permanently unreadable.删除数据加密密钥会使使用该密钥加密的所有字段永久不可读。

The following procedure uses mongosh to remove a data encryption key from the key vault. 以下过程使用mongosh从密钥库中删除数据加密密钥。For guidance on data encryption key management using a 4.2+ compatible driver, see the driver documentation instead.有关使用4.2+兼容驱动程序进行数据加密密钥管理的指导,请参阅驱动程序文档

If you are still within your configured mongosh session from the Create a Data Encryption Key steps above, you can skip directly to step 5.如果您仍然在上述创建数据加密密钥步骤中配置的mongosh会话中,则可以直接跳到步骤5。

Use the tabs below to select the KMS appropriate for your deployment:使用以下选项卡选择适合您的部署的KMS:

1

Launch mongosh.启动mongosh

Configuring client-side field level encryption for the AWS KMS requires an AWS Access Key ID and its associated Secret Access Key. 为AWS KMS配置客户端字段级加密需要AWS访问密钥ID及其关联的秘密访问密钥。The AWS Access Key must correspond to an IAM user with all List and Read permissions for the KMS service.AWS访问密钥必须与具有KMS服务的所有ListRead权限的IAM用户相对应。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

First, ensure that you have configured the following environment variables according to your platform's documentation:首先,确保已根据平台文档配置了以下环境变量:

  • AWS_ACCESS_KEY_ID

  • AWS_SECRET_ACCESS_KEY

Next, create mongosh session using the --eval, --shell, and --nodb options:接下来,使用--eval--shell--nodb选项创建mongosh会话:

mongosh --eval "
    var AWS_ACCESS_KEY_ID = '$AWS_ACCESS_KEY_ID'
    var AWS_SECRET_ACCESS_KEY = '$AWS_SECRET_ACCESS_KEY'
  " \
  --shell --nodb

This example opens mongosh without a connection to a MongoDB database. 本例打开mongosh时没有连接到MongoDB数据库。The --eval option sets the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY variables in mongosh to the value of the corresponding environment variables. --eval选项将mongosh中的AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY变量设置为相应环境变量的值。The specified variables are also supported by the AWS CLI.AWS CLI也支持指定的变量。

2

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "aws" : {
      "accessKeyId" : AWS_ACCESS_KEY_ID,
      "secretAccessKey" : AWS_SECRET_ACCESS_KEY
    }
  }
}
3

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

4

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().不要删除由getKeyVault()创建的唯一索引

5

Delete the Data Encryption Key Using its UUID.使用UUID删除数据加密密钥。

Use the KeyVault.deleteKey() method on the keyVault object to delete a data key from the key vault:使用keyVault对象上的KeyVault.deleteKey()方法从密钥库中删除数据密钥:

keyVault.deleteKey(UUID("<Replace Me With The UUID Of The Key To Delete"))
1

Launch mongosh.启动mongosh

Configuring client-side field level encryption for Azure Key Vault requires a valid Tenant ID, Client ID, and Client Secret.为Azure密钥库配置客户端字段级加密需要有效的租户ID、客户端ID和客户端密钥。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

First, ensure that you have configured the following environment variables according to your platform's documentation:首先,确保已根据平台文档配置了以下环境变量:

  • AZURE_TENANT_ID

  • AZURE_CLIENT_ID

  • AZURE_CLIENT_SECRET

Next, create a mongosh session using the --eval, --shell, and --nodb options:接下来,使用--eval--shell--nodb选项创建mongosh会话:

mongosh --eval "
    var AZURE_TENANT_ID = '$AZURE_TENANT_ID'
    var AZURE_CLIENT_ID = '$AZURE_CLIENT_ID'
    var AZURE_CLIENT_SECRET = '$AZURE_CLIENT_SECRET'
  " \
  --shell --nodb

This example opens mongosh without a connection to a MongoDB database. 本例打开mongosh时没有连接到MongoDB数据库。The --eval option sets the AZURE_TENANT_ID, and AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET variables in mongosh to the value of the corresponding environment variables.--eval选项将mongosh中的AZURE_TENANT_IDAZURE_CLIENT_IDAZURE_CLEENT_SECRET变量设置为相应环境变量的值。

2

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "azure" : {
      "tenantId" : AZURE_TENANT_ID,
      "clientId" : AZURE_CLIENT_ID,
      "clientSecret" : AZURE_CLIENT_SECRET
    }
  }
}
3

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.将code>replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

4

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().getKeyVault()不要删除由getKeyVault()创建的唯一索引

5

Delete the Data Encryption Key Using its UUID.使用UUID删除数据加密密钥。

Use the KeyVault.deleteKey() method on the keyVault object to delete a data key from the key vault:使用keyVault对象上的KeyVault.deleteKey()方法从密钥库中删除数据密钥:

keyVault.deleteKey(UUID("<Replace Me With The UUID Of The Key To Delete"))
1

Launch mongosh.启动mongosh

Configuring client-side field level encryption for the GCP KMS requires your GCP Email and its associated Private Key.为GCP KMS配置客户端字段级加密需要GCP电子邮件及其相关私钥。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

First, ensure that you have configured the following environment variables according to your platform's documentation:首先,确保已根据平台文档配置了以下环境变量:

  • GCP_EMAIL

  • GCP_PRIVATEKEY

Next, create a mongosh session using the --eval, --shell, and --nodb options:接下来,使用--eval--shell--nodb选项创建mongosh会话:

mongosh --eval "
    var GCP_EMAIL = '$GCP_EMAIL'
    var GCP_PRIVATEKEY = '$GCP_PRIVATEKEY'
  " \
  --shell --nodb

This example opens mongosh without a connection to a MongoDB database. 本例打开mongosh时没有连接到MongoDB数据库。The --eval option sets the GCP_EMAIL and GCP_PRIVATEKEY variables in mongosh to the value of the corresponding environment variables.--eval选项将mongosh中的GCP_EMAILGCP_PRIVATEKEY变量设置为相应环境变量的值。

2

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "gcp" : {
      "email" : GCP_EMAIL,
      "privateKey" : GCP_PRIVATEKEY
    }
  }
}
3

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

4

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. getKeyVault()keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().不要删除由getKeyVault()创建的唯一索引

5

Delete the Data Encryption Key Using its UUID.使用UUID删除数据加密密钥。

Use the KeyVault.deleteKey() method on the keyVault object to delete a data key from the key vault:使用keyVault对象上的KeyVault.deleteKey()方法从密钥库中删除数据密钥:

keyVault.deleteKey(UUID("<Replace Me With The UUID Of The Key To Delete"))
1

Generate an Encryption Key.生成加密密钥。

Configuring client-side field level encryption for a locally-managed key requires specifying a base64-encoded 96-byte string with no line breaks.为本地管理的密钥配置客户端字段级加密需要指定不带换行符的base64编码的96字节字符串。

To mitigate the risk of these credentials leaking into logs, the following procedure passes the values into mongosh using environment variables.为了降低这些凭据泄漏到日志中的风险,以下过程使用环境变量将值传递到mongosh中。

The following operation generates a key that meets the stated requirements and adds it to the user's ~/.profile. 以下操作生成满足所述要求的密钥,并将其添加到用户的~/.profile文件中。If the key DEV_LOCAL_KEY already exists, skip this operation.如果密钥DEV_LOCAL_KEY已经存在,请跳过此操作。

echo "export DEV_LOCAL_KEY=\"$(head -c 96 /dev/urandom | base64 | tr -d '\n')\"" >> ~/.profile

The host operating system may require logging out and back in to refresh the loaded environment variables. 主机操作系统可能需要注销并重新登录以刷新加载的环境变量。Alternatively, you can use the command source ~/.profile to manually refresh the shell.或者,可以使用命令source ~/.profile手动刷新shell。

Note注意

Your specific host operating system or shell may have different procedures for setting persistent environment variables. 特定的主机操作系统或shell可能有不同的设置持久环境变量的过程。Defer to the documentation for your host OS or shell for a more specific procedure as appropriate.请参阅主机操作系统或shell的文档,以了解更具体的过程。

2

Launch mongosh.启动mongosh

Create a mongosh session using the --eval, --shell, and --nodb options:使用--eval--shell--nodb选项创建mongosh会话:

mongosh --eval "var LOCAL_KEY = '$DEV_LOCAL_KEY' " \
  --shell --nodb

The example automatically opens mongosh without a connection to a MongoDB database. 该示例自动打开mongosh,无需连接MongoDB数据库。The --eval option sets the LOCAL_KEY variable in mongosh to the value of the corresponding environment variable.--eval选项将mongosh中的LOCAL_KEY变量设置为相应环境变量的值。

3

Create the Encryption Configuration.创建加密配置。

In mongosh, create a new ClientSideFieldLevelEncryptionOptions variable for storing the client-side field level encryption configuration document:mongosh中,创建一个新的ClientSideFieldLevelEncryptionOptions变量,用于存储客户端字段级加密配置文档:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0, LOCAL_KEY)
    }
  }
}
4

Connect with Encryption Support.连接加密支持。

In mongosh, use the Mongo() constructor to establish a database connection to the target cluster. mongosh中,使用Mongo()构造函数建立到目标集群的数据库连接。Specify the ClientSideFieldLevelEncryptionOptions document as the second parameter to the Mongo() constructor to configure the connection for client-side field level encryption:ClientSideFieldLevelEncryptionOptions文档指定为Mongo()构造函数的第二个参数,以配置客户端字段级加密的连接:

csfleDatabaseConnection = Mongo(
  "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Replace the replaceMe.example.net URI with the connection string for the target cluster.replaceMe.example.net URI替换为目标群集的连接字符串。

Use the csfleDatabaseConnection object to access client-side field level encryption shell methods.使用csfleDatabaseConnection对象访问客户端字段级加密shell方法。

For complete documentation on establishing database connections configured for client-side field level encryption, see the Mongo() constructor reference.有关建立为客户端字段级加密配置的数据库连接的完整文档,请参阅Mongo()构造函数参考。

5

Create the Key Vault Object.创建密钥Vault对象。

Use the getKeyVault() method on the csfleDatabaseConnection database connection object to create the keyVault object:csfleDatabaseConnection数据库连接对象使用getKeyVault()方法创建keyVault对象:

keyVault = csfleDatabaseConnection.getKeyVault();
Important重要

Client-side field level encryption depends on server-enforced uniqueness of key alternate names. 客户端字段级加密取决于服务器强制的密钥备用名称的唯一性。getKeyVault() creates a unique index on keyAltNames if one does not exist. getKeyVault()在keyAltNames上创建唯一索引(如果不存在)。Do not drop the unique index created by getKeyVault().不要删除由getKeyVault()创建的唯一索引

6

Delete the Data Encryption Key Using its UUID.使用UUID删除数据加密密钥。

Use the KeyVault.deleteKey() method on the keyVault object to delete a data key from the key vault:使用keyVault对象上的KeyVault.deleteKey()方法从密钥库中删除数据密钥:

keyVault.deleteKey(UUID("<Replace Me With The UUID Of The Key To Delete"))

Retrieve an Existing Data Encryption Key检索现有数据加密密钥

To retrieve an existing data encryption key document from the key vault, either:要从密钥库中检索现有数据加密密钥文档,请执行以下任一操作:

If providing the data encryption key to an official 4.2+ compatible driver in order to configure automatic client-side field level encryption, you must use the base64 representation of the UUID string.如果向官方4.2+兼容驱动程序提供数据加密密钥以配置自动客户端字段级加密,则必须使用UUID字符串的base64表示。

You can run the following operation in mongosh to convert a UUID hexadecimal string to its base64 representation:您可以在mongosh中运行以下操作,将UUID十六进制字符串转换为其base64表示形式:

UUID("b4b41b33-5c97-412e-a02b-743498346079").base64()

Supply the UUID of your own data encryption key to this command.为此命令提供您自己的数据加密密钥的UUID

←  Master Key and Data Encryption Key ManagementLimitations →