Automatic Encryption自动加密

How Encrypted Writes and Reads Work加密写入和读取的工作方式

The following diagrams show how the client application and driver write and read field-level encrypted data.下图显示了客户端应用程序和驱动程序如何写入和读取字段级加密数据。

Encrypted Writes加密写入

For write operations, the driver encrypts field values prior to writing to the MongoDB database.对于写入操作，驱动程序在写入MongoDB数据库之前对字段值进行加密。

The following diagram shows the steps taken by the client application and driver to perform a write of field-level encrypted data:下图显示了客户端应用程序和驱动程序执行字段级加密数据写入所采取的步骤：

Encrypted Reads加密读取

For read operations, the driver encrypts field values in the query prior to issuing the read operation.对于读取操作，驱动程序在发出读取操作之前对查询中的字段值进行加密。

For read operations that return encrypted fields, the driver automatically decrypts the encrypted values only if the driver was configured with access to the Customer Master Key (CMK) and Data Encryption Keys (DEK) used to encrypt those values.对于返回加密字段的读取操作，只有当驱动程序配置为可以访问用于加密这些值的客户主键（CMK）和数据加密键（DEK）时，驱动程序才会自动解密加密的值。

The following diagram shows the steps taken by the client application and driver to query and decrypt field-level encrypted data:下图显示了客户端应用程序和驱动程序查询和解密字段级加密数据所采取的步骤：

Enabling Automatic Client-Side Field Level Encryption启用自动客户端字段级加密

To enable automatic encryption, specify automatic encryption settings in your client's MongoClient instance.要启用自动加密，请在客户端的MongoClient实例中指定自动加密设置。

The following code snippets show how to create a client with automatic encryption enabled in mongosh and MongoDB drivers:以下代码片段显示了如何创建一个在mongosh和MongoDB驱动程序中启用自动加密的客户端：

const secureClient = new MongoClient(connectionString, {
  useNewUrlParser: true,
  useUnifiedTopology: true,
  monitorCommands: true,
  autoEncryption: {
    keyVaultNamespace,
    kmsProviders,
    schemaMap: patientSchema,
    extraOptions: extraOptions,
  },
});

For more information on CSFLE-specific MongoClient settings, see CSFLE-Specific MongoClient Options.有关特定于CSFLE的MongoClient设置的更多信息，请参阅特定于CSFLE的MongoClient选项。

Server-Side Field Level Encryption Enforcement服务器端字段级加密强制

MongoDB supports using schema validation to enforce encryption of specific fields in a collection. Clients performing automatic Client-Side Field Level Encryption have specific behavior depending on the database connection configuration:MongoDB支持使用模式验证来强制加密集合中的特定字段。根据数据库连接配置，执行自动客户端字段级加密的客户端具有特定行为：

• If the connection autoEncryptionOpts schemaMap object contains a key for the specified collection, the client uses that object to perform automatic field level encryption and ignores the remote schema. At minimum, the local rules must encrypt those fields that the remote schema marks as requiring encryption.如果连接autoEncryptionOpts schemaMap对象包含指定集合的键，则客户端将使用该对象执行自动字段级加密，并忽略远程架构。至少，本地规则必须对远程架构标记为需要加密的字段进行加密。
• If the connection autoEncryptionOpts schemaMap object does not contain a key for the specified collection, the client downloads the server-side remote schema for the collection and uses it to perform automatic field level encryption.如果连接autoEncryptionOpts schemaMap对象不包含指定集合的键，则客户端将下载该集合的服务器端远程架构，并使用它执行自动字段级加密。
  Important

  Behavior Considerations行为注意事项

  When autoEncryptionOpts does not contain a key for the specified collection:当autoEncryptionOpts不包含指定集合的键时：

  • The client trusts that the server has a valid schema with respect to automatic field level encryption.客户端信任服务器具有关于自动字段级加密的有效架构。
  • The client uses the remote schema to perform automatic CSFLE only. The client does not enforce any other validation rules specified in the schema.客户端使用远程模式仅执行自动CSFLE。客户端不强制执行架构中指定的任何其他验证规则。

To learn how to set up server-side CSFLE enforcement, see CSFLE Server-Side Schema Enforcement.要了解如何设置服务器端CSFLE强制，请参阅CSFLE服务器端模式强制。