Docs HomeMongoDB Manual

Encryption Schemas加密架构

On this page本页内容

MongoDB's Queryable Encryption feature is available (GA) in MongoDB 7.0 and later. To learn more about Queryable Encryption and compare its benefits with Client-Side Field Level Encryption, see Queryable Encryption.

Overview概述

On this page, you can learn how to create an encryption schema for automatic Client-Side Field Level Encryption (CSFLE) as well as see an example detailing how to create the encryption schema used in the CSFLE Quick Start.在本页上,您可以了解如何创建用于自动客户端字段级加密(CSFLE)的加密模式,并查看详细说明如何创建CSFLE快速入门中使用的加密模式的示例。

Encryption Schemas加密架构

An encryption schema is a JSON object which uses a strict subset of JSON Schema Draft 4 standard syntax along with the keywords encrypt and encryptMetadata to define the encryption rules that specify how your CSFLE-enabled client should encrypt your documents.加密模式是一个JSON对象,它使用JSON schema Draft 4标准语法的严格子集以及键encryptencryptMetadata来定义加密规则,指定启用CSFLE的客户端应如何加密文档。

Encryption rules are JSON key-value pairs that define how your client application encrypts your fields. You must specify or inherit the following information in an encryption rule:加密规则是定义客户端应用程序如何加密字段的JSON键值对。您必须在加密规则中指定或继承以下信息:

  • The algorithm used to encrypt your field用于加密字段的算法
  • Which Data Encryption Key (DEK) your client uses to encrypt your field您的客户端用于加密字段的数据加密键(DEK)
  • The BSON type of your field字段的BSON类型

Encryption rules must contain either the encrypt or encryptMetadata keyword.加密规则必须包含encryptencryptMetadata键。

To learn more about the encryption algorithms you can define in your encryption schema, see Fields and Encryption Types.要了解有关可以在加密模式中定义的加密算法的更多信息,请参阅字段和加密类型

To learn more about Data Encryption Keys, see Keys and Key Vaults.要了解有关数据加密键的详细信息,请参阅键和键库

encrypt Keyword加密键

The encrypt keyword defines an encryption rule for a single field in a BSON document. Encryption rules containing the encrypt keyword have the following structure:encrypt键为BSON文档中的单个字段定义加密规则。包含encrypt键的加密规则具有以下结构:

"<field-name-to-encrypt>": {
  "encrypt": {
    "algorithm": "<encryption algorithm to use>",
    "bsonType": "<bson type of field>",
    "keyId": [UUID("<_id of your Data Encryption Key>" )]
  }
}

encryptMetadata Keyword

The encryptMetadata keyword defines encryption rules which child elements of the sibling properties tag inherit. Encryption rules containing encryptMetadata have the following structure:encryptMetadata键定义兄弟properties标记的子元素继承的加密规则。包含encryptMetadata的加密规则具有以下结构:

"bsonType": "object",
"encryptMetadata": {
  "algorithm": "<encryption algorithm inherited by children of properties field>",
  "keyId": [UUID("<_id of your Data Encryption Key>" )]
},
"properties": { <object to inherit encryptMetadata values> }

patternProperties Keyword

You can use the patternProperties keyword in your encryption schema to define encryption rules for all fields with names that match a regular expression. 您可以在加密模式中使用patternProperties键为名称与正则表达式匹配的所有字段定义加密规则。This allows you to specify multiple fields for encryption based on a single regular expression, or to specify them by only using a part of the field name. The patternProperties keyword replaces properties in your encryption schema.这允许您基于单个正则表达式指定多个字段进行加密,或者只使用字段名的一部分来指定它们。patternProperties键将替换加密架构中的属性。

Specify encryption rules with patternProperties using the following structure:使用以下结构使用patternProperties指定加密规则:

"bsonType": "object",
"patternProperties": {
    "<regular expression to match>": {
    "encrypt": {
        "algorithm": "<encryption algorithm to use>",
        "bsonType": "<bson type of field>",
        "keyId": [UUID("<_id of your Data Encryption Key>" )]
    }
}

To see an example of how to use patternProperties see Encryption Schema - Encrypt with Pattern Properties要查看如何使用patternProperties的示例,请参阅加密模式-使用模式属性加密

Example实例

This example explains how to generate the encryption schema used in the Create an Encryption Schema For Your Documents step of the CSFLE Quick Start.此示例说明如何生成CSFLE快速入门的为文档创建加密模式步骤中使用的加密模式。

In the Quick Start, you insert documents with the following structure into the patients collection of the medicalRecords database:在“快速入门”中,将具有以下结构的文档插入medicalRecords数据库的patients集合:

{
  "_id": { "$oid": "<_id of your document>" },
  "name": "<name of patient>",
  "ssn": <integer>,
  "bloodType": "<blood type>",
  "medicalRecords": [
    { "weight": <integer>, "bloodPressure": "<blood pressure>" }
  ],
  "insurance": {
    "provider": "<provider name>",
    "policyNumber": <integer>
  }
}

Specify the Namespace指定命名空间

At the root of your encryption schema, specify the namespace to which your encryption schema applies. Specify the following to encrypt and decrypt documents in the patients collection of the medicalRecords database:在加密架构的根目录下,指定加密架构所应用的命名空间。指定以下内容以加密和解密medicalRecords数据库的patients集合中的文档:

{
  "medicalRecords.patients": {
    <the schema created in the following steps of this example>
  }
}

Specify the Data Encryption Key指定数据加密键

In the Quick Start, you encrypt all fields of your document with a single Data Encryption Key (DEK). To configure all fields in your documents to use a single DEK for encryption and decryption, specify the _id of your DEK with the encryptMetadata keyword at the root of your encryption schema as follows:在“快速入门”中,您可以使用单个数据加密键(DEK)加密文档的所有字段。要将文档中的所有字段配置为使用单个DEK进行加密和解密,请在加密模式的根位置使用encryptMetadata键指定DEK的_id,如下所示:

{
  "medicalRecords.patients": {
    "bsonType": "object",
    "encryptMetadata": {
     "keyId": [UUID("<_id of your Data Encryption Key>" )]
   },
    "properties": {
      <the schema created in the following steps of this example>
    }
  }
}

Choose Encryption Rules选择加密规则

You decide to encrypt the following fields with the following encryption algorithms:您决定使用以下加密算法加密以下字段:

Field Name字段名称Encryption Algorithm加密算法BSON Type
ssnDeterministic确定的Int
bloodTypeRandom随机的String
medicalRecordsRandom随机的Array
insurance.policyNumberDeterministic确定的Int

You choose to encrypt the ssn and insurance.policyNumber fields with deterministic encryption for the following reasons:您选择使用确定性加密来加密ssninsurance.policyNumber字段,原因如下:

  • You want to be able to query on these fields.您希望能够查询这些字段。
  • The values in these fields have a high cardinality, so this data is not susceptible to a frequency analysis attack.这些字段中的值具有很高的基数,因此这些数据不易受到频率分析攻击。

You choose to encrypt the bloodType field with random encryption for the following reasons:您选择使用随机加密来加密bloodType字段,原因如下:

  • You do not plan to query on this field.您不打算对此字段进行查询。
  • The values in this field have low cardinality, making them susceptible to a frequency analysis attack if you encrypted them deterministically.该字段中的值具有较低的基数,如果您对它们进行了决定性的加密,则会使它们容易受到频率分析攻击。

You must encrypt the medicalRecords field with random encryption as CSFLE does not support deterministic encryption of fields of type array.您必须使用随机加密对medicalRecords字段进行加密,因为CSFLE不支持对类型为array的字段进行确定性加密。

Tip

To learn more about supported and unsupported automatic encryption operations, see Supported Operations for Automatic Encryption.要了解有关受支持和不受支持的自动加密操作的详细信息,请参阅自动加密支持的操作

Specify Encryption Rules指定加密规则

To encrypt the ssn field with deterministic encryption, specify the following in your encryption schema:要使用确定性加密来加密ssn字段,请在加密架构中指定以下内容:

"ssn": {
    "encrypt": {
        "bsonType": "int",
        "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
    }
}

To encrypt the bloodType field with random encryption, specify the following in your encryption schema:要使用随机加密来加密bloodType字段,请在加密架构中指定以下内容:

"bloodType": {
    "encrypt": {
        "bsonType": "string",
        "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
    }
}

To encrypt the medicalRecords field with random encryption, specify the following in your encryption schema:要使用随机加密对medicalRecords字段进行加密,请在加密模式中指定以下内容:

"medicalRecords": {
    "encrypt": {
        "bsonType": "array",
        "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
    }
}

To encrypt the insurance.policyNumber field with deterministic encryption, specify the following in your encryption schema:要使用确定性加密对insurance.policyNumber字段进行加密,请在加密模式中指定以下内容:

"insurance": {
    "bsonType": "object",
    "properties": {
        "policyNumber": {
            "encrypt": {
                "bsonType": "int",
                "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
            }
        }
    }
}

View the Complete Schema查看完整架构

The complete encryption schema for the Quick Start is as follows:快速入门的完整加密架构如下:

{
  "medicalRecords.patients": {
    "bsonType": "object",
    "encryptMetadata": {
     "keyId": [UUID("<_id of your Data Encryption Key>" )]
   },
    "properties": {
      "insurance": {
        "bsonType": "object",
        "properties": {
          "policyNumber": {
            "encrypt": {
              "bsonType": "int",
              "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
            }
          }
        }
      },
      "medicalRecords": {
        "encrypt": {
          "bsonType": "array",
          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
        }
      },
      "bloodType": {
        "encrypt": {
          "bsonType": "string",
          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
        }
      },
      "ssn": {
        "encrypt": {
          "bsonType": "int",
          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
        }
      }
    }
  }
}

Learn More了解更多信息

To learn more about encryption schemas, see CSFLE Encryption Schemas要了解有关加密模式的更多信息,请参阅CSFLE加密模式

To learn more about automatic encryption, see Automatic Encryption.要了解有关自动加密的更多信息,请参阅自动加密

To view the Quick Start, see Quick Start.要查看快速入门,请参阅快速入门