Docs HomeMongoDB Manual

Encrypted Collection Management加密集合管理

On this page本页内容

Queryable Encryption with equality queries is generally available (GA) in MongoDB 7.0 and later. 具有相等查询的可查询加密在MongoDB 7.0及更高版本中通常可用(GA)。The Queryable Encryption Public Preview, released in version 6.0, is no longer supported. Data encrypted using the Public Preview is incompatible with the feature release. 不再支持6.0版本中发布的“可查询加密预览”。使用公共预览加密的数据与功能版本不兼容。For more information, see Compatibility Changes in MongoDB 7.0.有关更多信息,请参阅MongoDB 7.0中的兼容性更改

It is important that you understand the performance and storage costs of field level encryption. Each encrypted field:了解现场级加密的性能和存储成本非常重要。每个加密字段:

  • Adds writes to insert and update operations.添加写入以插入和更新操作。
  • Requires additional storage, because MongoDB maintains an encrypted field index.需要额外的存储,因为MongoDB维护一个加密的字段索引。

This section lists the writes per operation and explains how to compact encrypted collection indexes so that you can minimize write and storage costs.本节列出了每次操作的写入次数,并解释了如何压缩加密的集合索引,以便最大限度地降低写入和存储成本。

Overview概述

Queryable Encryption introduces the ability to encrypt sensitive fields in your documents using randomized encryption, while still being able to query the encrypted fields.可查询加密引入了使用随机加密对文档中的敏感字段进行加密的能力,同时仍然可以查询加密的字段。

With Queryable Encryption, a given plaintext value always encrypts to a different ciphertext, while still remaining queryable. To enable this functionality, Queryable Encryption uses three data structures:使用可查询加密,给定的明文值总是加密为不同的密文,同时仍然保持可查询性。为了启用此功能,Queryable Encryption使用三种数据结构:

  • Two metadata collections两个元数据集合
  • A field in every document in the encrypted collection called __safeContent__加密集合中每个文档中的一个名为__safeContent__的字段。
Important

It is critical that these data structures are not modified or deleted, or query results will be incorrect.至关重要的是,不要修改或删除这些数据结构,否则查询结果将不正确。

Metadata Collections元数据集合

When you create an encrypted collection, MongoDB creates two metadata collections:创建加密集合时,MongoDB会创建两个元数据集合:

  • enxcol_.<collectionName>.esc, referred to as ,简称ESC
  • enxcol_.<collectionName>.ecoc, referred to as ,简称ECOC
Example实例

If you create a collection called "patients", MongoDB creates the following metadata collections:如果创建一个名为“patients”的集合,MongoDB将创建以下元数据集合:

  • enxcol_.patients.esc
  • enxcol_.patients.ecoc

When you insert documents with a queryable encrypted field, MongoDB updates the metadata collections to maintain an index that enables querying. 当您插入具有可查询加密字段的文档时,MongoDB会更新元数据集合,以维护一个启用查询的索引。The field becomes an "indexed field". This comes at a cost in storage and write speed for every such field.该字段变为“索引字段”。这是以存储和写入速度为代价的。

Dropping Encrypted Collections正在删除加密的集合

When you drop an encrypted collection, drop the associated metadata collections enxcol_.<collectionName>.esc and enxcol_.<collectionName>.ecoc immediately afterwards. 删除加密集合时,请删除关联的元数据集合enxcol_.<collectionName>.escenxcol_.<collectionName>.ecocOtherwise, re-creating the collection with the same name puts the metadata collections in a conflicted state that consumes excess storage space and degrades CRUD performance.否则,重新创建具有相同名称的集合会使元数据集合处于冲突状态,从而消耗多余的存储空间并降低CRUD性能。

Storage Costs存储成本

Storage and write costs increase based on the number of indexed fields per document.存储和写入成本会根据每个文档的索引字段数而增加。

Important

Expect a Queryable Encryption collection to have 2-3 times the storage requirements of the documents, to account for metadata collections. For example, a 1 GB collection may have a storage requirement of 2-3 GB.预计Queryable Encryption集合的存储需求是文档的2-3倍,以考虑元数据集合。例如,1 GB的集合可能需要2-3 GB的存储空间。

Write Costs写入成本

Insert Operation插入操作s

When inserting a document, each indexed field requires two writes to metadata collections.插入文档时,每个索引字段都需要两次写入元数据集合。

  • One write to ESC一次写入ESC
  • One write to ECOC一次写入ECOC
Example

Inserting a document with two indexed fields requires:插入具有两个索引字段的文档需要:

  • One write to the encrypted collection.一次写入加密集合。
  • Four writes to the metadata collections.四次写入元数据集合。

Update Operations更新操作

When updating a document, each indexed field requires three writes to metadata collections.更新文档时,每个索引字段需要向元数据集合写入三次。

  • One write to ESC一次写入ESC
  • One write to ECOC一次写入ECOC
Example

Updating a document with two indexed fields requires:更新具有两个索引字段的文档需要:

  • One write to the encrypted collection.一次写入加密集合。
  • Four writes to the metadata collections.四次写入元数据集合。

Delete Operations删除操作

When deleting a document, indexed fields do not require any additional writes.删除文档时,索引字段不需要任何额外的写入操作。

Index Compaction指数压实

As you insert or update documents, the metadata collections change and grow. Index compaction prunes the metadata collections and reduces their size.在插入或更新文档时,元数据集合会发生变化和增长。索引压缩会修剪元数据集合并减小它们的大小。

Important

You must manually run index compaction. Compaction only works on clients configured for Queryable Encryption.必须手动运行索引压缩。压缩仅适用于配置为可查询加密的客户端。

Run index compaction when the size of ECOC exceeds 1 GB.ECOC的大小超过1 GB时,运行索引压缩。

You can check the size of your collections using mongosh and issuing the db.collection.totalSize() command.您可以使用mongosh并发出db.collection.totalSize()命令来检查集合的大小。

Example

In this example, the encrypted collection is named "patients".

db.enxcol_.patients.ecoc.totalSize()

output:

1407960328

To run index compaction, use mongosh and run the db.collection.compactStructuredEncryptionData() command to reduce the size of the metadata collections.要运行索引压缩,请使用mongosh并运行db.collection.compactStructuredEncryptionData()命令以减小元数据集合的大小。

Example
const eDB = "encryption"
const eKV = "__keyVault"
const secretDB = "records"
const secretCollection = "patients"
const localKey = fs.readFileSync("master-key.txt")

const localKeyProvider = { key: localKey }

const queryableEncryptionOpts = {
  kmsProviders: { local: localKeyProvider },
  keyVaultNamespace: `${eDB}.${eKV}`,
}

const encryptedClient = Mongo("localhost:27017", queryableEncryptionOpts)

const encryptedDB = encryptedClient.getDB(secretDB)
const encryptedCollection = encryptedDB.getCollection(secretCollection)
encryptedCollection.compactStructuredEncryptionData()

output:输出:

{
  "stats": {
     ...
  },
  "ok": 1,
  ...
}