Docs HomeMongoDB Manual

Explicit Encryption显式加密

On this page本页内容

MongoDB's Queryable Encryption feature is available (GA) in MongoDB 7.0 and later. To learn more about Queryable Encryption and compare its benefits with Client-Side Field Level Encryption, see Queryable Encryption.

Overview概述

Learn how to use the explicit encryption mechanism of Client-Side Field Level Encryption (CSFLE).了解如何使用客户端字段级加密(CSFLE)的显式加密机制。

Explicit encryption is a mechanism in which you specify how to encrypt and decrypt fields in your document for each operation you perform on your database.显式加密是一种机制,在该机制中,您可以为对数据库执行的每个操作指定如何加密和解密文档中的字段。

Explicit encryption is available in the following MongoDB products of version 4.2 or later:显式加密在以下4.2或更高版本的MongoDB产品中可用:

  • MongoDB Community Server
  • MongoDB Enterprise Advanced
  • MongoDB Atlas

Use Explicit Encryption使用显式加密

To use explicit encryption you must perform the following actions in your CSFLE-enabled application:要使用显式加密,您必须在启用CSFLE的应用程序中执行以下操作:

Create a ClientEncryption Instance创建ClientEncryption实例

To use explicit encryption, you must create a ClientEncryption instance. 若要使用显式加密,必须创建ClientEncryption实例。ClientEncryption is an abstraction used across drivers and mongosh that encapsulates the Key Vault collection and KMS operations involved in explicit encryption.是一个跨驱动程序和mongosh使用的抽象,它封装了显式加密中涉及的键库集合和KMS操作。

To create a ClientEncryption instance, you must specify the following information:要创建ClientEncryption实例,必须指定以下信息:

  • A MongoClient instance with access to your Key Vault collection可以访问键库集合的MongoClient实例
  • The namespace of your Key Vault collection键库集合的命名空间
  • A kmsProviders object configured with access to the KMS hosting your Customer Master KeykmsProviders对象配置为可以访问托管客户主键的KMS

For more ClientEncryption options, see CSFLE-Specific MongoClient Options.有关更多ClientEncryption选项,请参阅CSFLE特定的MongoClient选项

To view code snippets that show how to create a ClientEncryption instance, see the Example section of this guide.要查看显示如何创建ClientEncryption实例的代码片段,请参阅本指南的示例部分。

Encrypt Fields in Read and Write Operations读取和写入操作中的加密字段

You must update read and write operations throughout your application such that your application encrypts fields before performing read and write operations.您必须在整个应用程序中更新读写操作,以便应用程序在执行读写操作之前对字段进行加密。

To encrypt fields, use the encrypt method of your ClientEncryption instance.要加密字段,请使用ClientEncryption实例的加密方法。

To view code snippets that show how to use the encrypt method, see the Example section of this guide.要查看显示如何使用encrypt方法的代码片段,请参阅本指南的示例”部分。

Manual Decryption手动解密

You can decrypt your encrypted fields manually or automatically when using explicit encryption.使用显式加密时,可以手动或自动解密加密字段。

To decrypt your fields manually, use the decrypt method of your ClientEncryption instance.要手动解密字段,请使用ClientEncryption实例的decrypt(解密)方法。

To view code snippets that show how to use the decrypt method, see the Example section of this guide.要查看显示如何使用decrypt方法的代码片段,请参阅本指南的示例部分。

Automatic Decryption自动解密

To decrypt your fields automatically, configure your MongoClient instance as follows:要自动解密字段,请按如下方式配置MongoClient实例:

  • Specify your Key Vault collection指定键保管库集合
  • Specify a kmsProviders object指定kmsProviders对象
  • If you use MongoDB Community Server, set the bypassAutoEncryption option to True如果使用MongoDB Community Server,请将bypassAutoEncryption选项设置为True
Note

Automatic Decryption is Available in MongoDB Community ServerMongoDB社区服务器提供自动解密功能

Although automatic encryption requires MongoDB Enterprise or MongoDB Atlas, automatic decryption is available in the following MongoDB products of version 4.2 or later:尽管自动加密需要MongoDB Enterprise或MongoDB Atlas,但以下4.2或更高版本的MongoDB产品中提供了自动解密功能:

  • MongoDB Community ServerMongoDB社区服务器
  • MongoDB Enterprise Advanced
  • MongoDB Atlas

To view a code snippet demonstrating how to enable automatic decryption, select the tab corresponding to your preferred language:要查看演示如何启用自动解密的代码片段,请选择与首选语言对应的选项卡:

MongoDB ShellC#GoJava (Sync)Node.jsPython
const client = new MongoClient(connectionString, {
  useNewUrlParser: true,
  useUnifiedTopology: true,
  monitorCommands: true,
  autoEncryption: {
    keyVaultNamespace,
    kmsProviders,
    bypassAutoEncryption: true,
  },
});

Example实例

Assume you want to insert documents with the following structure into your MongoDB instance:假设您想将具有以下结构的文档插入到MongoDB实例中:

{
  "name": "<name of person>",
  "age": <age of person>,
  "favorite-foods": ["<array of foods>"]
}
1

Create a MongoClient Instance创建MongoClient实例

In this example, you use the same MongoClient instance to access your Key Vault collection and to read and write encrypted data.在本例中,您使用相同的MongoClient实例来访问您的键库集合,并读取和写入加密数据。

The following code snippets show how to create a MongoClient instance:以下代码片段显示了如何创建MongoClient实例:

MongoDB ShellC#GoJava (Sync)Node.jsPython
const client = new MongoClient(connectionString, {
  useNewUrlParser: true,
  useUnifiedTopology: true,
});
2

Create a ClientEncryption Instance创建ClientEncryption实例

The following code snippets show how to create a ClientEncryption instance:以下代码片段显示了如何创建ClientEncryption实例:

MongoDB ShellC#GoJava (Sync)Node.jsPython
const collection = client.db(db).collection(coll);
const encryption = new ClientEncryption(client, {
  keyVaultNamespace,
  kmsProviders,
});
3

Encrypt Fields and Insert加密字段并插入

You want to encrypt the fields of your document using the following algorithms:您希望使用以下算法加密文档的字段:

Field Name字段名称Encryption Algorithm加密算法BSON Type of FieldBSON字段类型
nameDeterministicString
ageNo encryptionInt
favorite-foodsRandomArray

The following code snippets show how to manually encrypt the fields in your document and insert your document into MongoDB:以下代码片段显示了如何手动加密文档中的字段并将文档插入MongoDB:

MongoDB ShellC#GoJava (Sync)Node.jsPython
Note

The dataKeyId variable in the following examples refers to a Data Encryption Key (DEK). To learn how to generate a DEK with your Local Key Provider, see the Quick Start. 以下示例中的dataKeyId变量指的是数据加密键(DEK)。要了解如何使用本地键提供程序生成DEK,请参阅快速入门To learn how to create a DEK with a specific Key Management System, see Tutorials.要了解如何使用特定的键管理系统创建DEK,请参阅教程

encryptedName = await encryption.encrypt("Greg", {
  algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
  keyId: dataKeyId,
});
encryptedFoods = await encryption.encrypt(["Cheese", "Grapes"], {
  algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Random",
  keyId: dataKeyId,
});
await collection.insertOne({
  name: encryptedName,
  age: 83,
  foods: encryptedFoods,
});
4

Retrieve Document and Decrypt Fields检索文档和解密字段

The following code snippets show how to retrieve your inserted document and manually decrypt the encrypted fields:以下代码段显示了如何检索插入的文档并手动解密加密字段:

MongoDB ShellC#GoJava (Sync)Node.jsPython
queryEncryptedName = await encryption.encrypt("Greg", {
  algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
  keyId: dataKeyId,
});
let doc = await collection.findOne({ name: queryEncryptedName });
console.log("Encrypted Document: ", doc);
doc.name = encryption.decrypt(doc.name);
doc.foods = encryption.decrypt(doc.foods);
console.log("Decrypted document: ", doc);

Server-Side Field Level Encryption Enforcement服务器端字段级加密强制

MongoDB supports using schema validation to enforce encryption of specific fields in a collection.MongoDB支持使用模式验证来强制加密集合中的特定字段。

A client performing Client-Side Field Level Encryption with the explicit encryption mechanism on a MongoDB instance configured to enforce encryption of certain fields must encrypt those fields as specified on the MongoDB instance.在配置为强制加密某些字段的MongoDB实例上使用显式加密机制执行客户端字段级加密的客户端必须按照MongoDB实例中的指定加密这些字段。

To learn how to set up server-side CSFLE enforcement, see CSFLE Server-Side Schema Enforcement.要了解如何设置服务器端CSFLE强制,请参阅CSFLE服务器端模式强制

Learn More了解更多信息

To learn more about Key Vault collections, Data Encryption Keys, and Customer Master Keys, see Keys and Key Vaults.要了解有关键库集合、数据加密键和客户主键的详细信息,请参阅键和键库

To learn more about KMS providers and kmsProviders objects, see CSFLE KMS Providers.要了解有关KMS提供程序和kmsProviders对象的更多信息,请参阅CSFLE KMS提供器