Docs HomeMongoDB Manual

Fields and Encryption Types字段和加密类型

On this page本页内容

MongoDB's Queryable Encryption feature is available (GA) in MongoDB 7.0 and later. To learn more about Queryable Encryption and compare its benefits with Client-Side Field Level Encryption, see Queryable Encryption.

This page describes the types of encryption used by MongoDB to perform Client-Side Field Level Encryption (CSFLE). To perform CSFLE, MongoDB uses the following types of encryption algorithms:本页介绍MongoDB用于执行客户端字段级加密(CSFLE)的加密类型。为了执行CSFLE,MongoDB使用以下类型的加密算法:

Deterministic Encryption确定性加密

The deterministic encryption algorithm ensures that a given input value always encrypts to the same output value each time the algorithm is executed. While deterministic encryption provides greater support for read operations, encrypted data with low cardinality is susceptible to frequency analysis recovery.确定性加密算法确保每次执行算法时,给定的输入值总是加密到相同的输出值。虽然确定性加密为读取操作提供了更大的支持,但具有低基数的加密数据容易受到频率分析恢复的影响。

For sensitive fields that are not used in read operations, applications may use randomized encryption for improved protection from frequency analysis recovery.对于未在读取操作中使用的敏感字段,应用程序可以使用随机化加密来提高频率分析恢复的保护。

Important

Deterministically Encrypting Objects and Arrays not Supported不支持确定性加密对象和数组

Encrypting entire objects and arrays is not supported with deterministic encryption. To learn more and see an example, see Support for Encrypting Objects and Arrays.确定性加密不支持对整个对象和数组进行加密。要了解更多信息并查看示例,请参阅对加密对象和数组的支持

Query for Documents on a Deterministically Encrypted Field在确定性加密字段上查询文档

You can query deterministically encrypted fields using standard MongoDB driver and mongosh methods.您可以使用标准MongoDB驱动程序和mongosh方法查询确定性加密的字段。

To view the complete list of all supported query operators on deterministically encrypted fields, see Supported Operations for Automatic Encryption.要查看确定性加密字段上所有支持的查询运算符的完整列表,请参阅自动加密支持的操作

To learn more about reads on encrypted data, see Encrypted Reads.要了解有关加密数据读取的详细信息,请参阅加密读取

Note

Querying from Clients without CSFLE Configured从未配置CSFLE的客户端查询

When you query on an encrypted field using a client that is not configured to use Client-Side Field Level Encryption (CSFLE), the query returns a null value. A client without CSFLE configured cannot query on an encrypted field.当您使用未配置为使用客户端字段级加密(CSFLE)的客户端查询加密字段时,查询将返回null值。未配置CSFLE的客户端无法查询加密字段。

Randomized Encryption随机化加密

The randomized encryption algorithm ensures that a given input value always encrypts to a different output value each time the algorithm is executed. While randomized encryption provides the strongest guarantees of data confidentiality, it also prevents support for any read operations which must operate on the encrypted field to evaluate the query.随机化加密算法确保每次执行算法时,给定的输入值总是加密为不同的输出值。虽然随机化加密提供了最有力的数据机密性保证,但它也阻止了对必须对加密字段进行操作才能评估查询的任何读取操作的支持。

For sensitive fields that are used in read operations, applications must use deterministic encryption for improved read support on encrypted fields.对于读取操作中使用的敏感字段,应用程序必须使用确定性加密,以改进对加密字段的读取支持。

Support for Encrypting Objects and Arrays支持加密对象和数组

Encrypting entire objects or arrays is only supported with randomized encryption.只有随机化加密才支持对整个对象或数组进行加密。

For example, consider the following document:例如,考虑以下文档:

{
   "personal_information" : {
      "ssn" : "123-45-6789",
      "credit_score" : 750,
      "credit_cards" : [ "1234-5678-9012-3456", "9876-5432-1098-7654"]
   },
   "phone_numbers" : [ "(212) 555-0153" ]
}

Encrypting the personal_information and phone_numbers fields using the randomized encryption algorithm encrypts the entire object. While this protects all fields nested under those fields, it also prevents querying against those nested fields.使用随机化加密算法加密personal_informationphone_numbers字段将加密整个对象。虽然这可以保护嵌套在这些字段下的所有字段,但也可以防止对这些嵌套字段进行查询。

To learn more about supported operations for encryption, see Supported Operations for Automatic Encryption.要了解有关支持的加密操作的更多信息,请参阅支持的自动加密操作

Query for Documents on a Randomly Encrypted Field在随机加密字段上查询文档

You cannot directly query for documents on a randomly encrypted field. However, you can use another field to find the document that contains an approximation of the randomly encrypted field data.不能在随机加密的字段上直接查询文档。但是,您可以使用另一个字段来查找包含随机加密字段数据近似值的文档。

For example, consider the following document where the ssn field is randomly encrypted:例如,考虑以下文档,其中ssn字段是随机加密的:

{
   "_id": "5d6ecdce70401f03b27448fc",
   "name": "Jon Doe",
   "ssn": 241014209,
   "bloodType": "AB+",
   "medicalRecords": [
       {
           "weight": 180,
           "bloodPressure": "120/80"
       }
   ],
   "insurance": {
       "provider": "MaestCare",
       "policyNumber": 123142
   }
}

Instead of querying the ssn field, you can add another plain-text field called last4ssn that contains the last 4 digits of the ssn field. You can then query on the last4ssn field as a proxy for ssn:您可以添加另一个名为last4ssn的纯文本字段,该字段包含ssn字段的最后4位数字,而不是查询ssn字段。然后,您可以查询last4ssn字段作为ssn的代理:

{
   "_id": "5d6ecdce70401f03b27448fc",
   "name": "Jon Doe",
   "ssn": 241014209,
   "last4ssn": 4209,
   "bloodType": "AB+",
   "medicalRecords": [
      {
            "weight": 180,
            "bloodPressure": "120/80"
      }
   ],
   "insurance": {
      "provider": "MaestCare",
      "policyNumber": 123142
   }
}