Docs HomeMongoDB Manual

Install and Configure mongocryptd for Queryable Encryption为可查询加密安装和配置mongocrypted

On this page本页内容

Queryable Encryption with equality queries is generally available (GA) in MongoDB 7.0 and later. 具有相等查询的可查询加密在MongoDB 7.0及更高版本中通常可用(GA)。The Queryable Encryption Public Preview, released in version 6.0, is no longer supported. Data encrypted using the Public Preview is incompatible with the feature release. 不再支持6.0版本中发布的“可查询加密预览”。使用公共预览加密的数据与功能版本不兼容。For more information, see Compatibility Changes in MongoDB 7.0.有关更多信息,请参阅MongoDB 7.0中的兼容性更改

Overview概述

Tip

Use the Automatic Encryption Shared Library使用自动加密共享库

If you are starting a new project, use the crypt_shared encryption helper, referred to as the Shared Library. The Shared Library replaces mongocryptd and does not require spawning a new process.如果您正在启动一个新项目,请使用crypt_shared加密助手,称为共享库。共享库取代了mongocrypted,不需要生成新的进程。

mongocryptd is installed with MongoDB Enterprise Server.mongocryptdMongoDB Enterprise Server一起安装。

When you create a Queryable Encryption enabled MongoDB client, the mongocryptd process starts automatically by default.当您创建一个支持可查询加密的MongoDB客户端时,mongocrypted进程默认情况下会自动启动。

The mongocryptd process:mongocryptd过程:

  • Uses the specified automatic encryption rules to mark fields in read and write operations for encryption.使用指定的自动加密规则标记读写操作中的字段进行加密。
  • Prevents unsupported operations from executing on encrypted fields.阻止对加密字段执行不受支持的操作。
  • Parses the encryption schema specified for the database connection. 分析为数据库连接指定的加密架构。Automatic encryption rules use a strict subset of JSON schema syntax. 自动加密规则使用JSON模式语法的严格子集。If the rules contain invalid automatic encryption syntax or any document validation syntax, mongocryptd returns an error.如果规则包含无效的自动加密语法或任何文档验证语法,mongocryptd将返回错误。

mongocryptd only performs the previous functions, and doesn't perform any of the following:仅执行前面的功能,不执行以下任何功能:

  • mongocryptd doesn't perform encryption or decryption不执行加密或解密
  • mongocryptd doesn't access any encryption key material无法访问任何加密键材料
  • mongocryptd doesn't listen over the network不通过网络收听

To perform client-side field level encryption and automatic decryption, Drivers use the Apache-licensed libmongocrypt library为了执行客户端字段级加密和自动解密,驱动程序使用Apache许可的libmongocrypt

Installation安装

For supported Linux Operating Systems, install the Server package by following the install on Linux tutorial , follow the documented installation instructions and install the mongodb-enterprise server package. 对于支持的Linux操作系统,请按照在Linux上安装教程安装Server软件包,按照文档中的安装说明安装,然后安装mongodb-enterprise服务器软件包。Alternatively, specify mongodb-enterprise-cryptd instead to install only the mongocryptd binary. 或者,指定mongodb-enterprise-cryptd来只安装mongocrypted二进制文件。The package manager installs the binaries to a location in the system PATH (e.g. /usr/bin/)包管理器将二进制文件安装到系统PATH中的某个位置(例如/usr/bin/

For OSX, install the Server package by following the install on MacOS tutorial. 对于OSX,请按照在MacOS上安装教程安装Server软件包。The package manager installs binaries to a location in the system PATH.包管理器将二进制文件安装到系统PATH中的某个位置。

For Windows, install the Server package by following the install on Windows tutorial. You must add the mongocryptd package to your system PATH after installation. Defer to documented best practices for your Windows installation for instructions on adding the mongocryptd binary to the system PATH.对于Windows,请按照在Windows上安装教程安装Server软件包。安装后,必须将mongocrypted包添加到系统PATH中。有关将mongocrypted二进制文件添加到系统PATH的说明,请参阅Windows安装的最佳实践文档。

For installations via an official tarball or ZIP archive, follow the documented best practices for your operating system to add the mongocryptd binary to your system PATH.对于通过官方tarball或ZIP档案进行的安装,请遵循操作系统的最佳实践文档,将mongocrypted二进制文件添加到系统PATH中。

Configuration配置

If the driver has access to the mongocryptd process, it spawns the process by default.如果驱动程序有权访问mongocrypted进程,则默认情况下会生成该进程。

Note

mongocryptd Port In Use

If a mongocryptd process is already running on the port specified by the driver, the driver may log a warning and continue without spawning a new process. Any settings specified by the driver only apply once the existing process exits and a new encrypted client attempts to connect.如果mongocrypted进程已经在驱动程序指定的端口上运行,则驱动程序可能会记录警告并继续运行,而不会生成新进程。驱动程序指定的任何设置只有在现有进程退出并且新的加密客户端尝试连接时才适用。

Configure how the driver starts mongocryptd through the following parameters:通过以下参数配置驱动程序如何启动mongocrypted

Name名称Description描述
portThe port from which mongocryptd listens for messages.mongocrypted侦听消息的端口。
Default: 27020
idleShutdownTimeoutSecsNumber of idle seconds the mongocryptd process waits before exiting.mongocrypted进程在退出前等待的空闲秒数。
Default: 60
mongocryptdURIThe URI on which to run the mongocryptd process.在其上运行mongocrypted进程的URI。
Default: "mongodb://localhost:27020"
mongocryptdBypassSpawnWhen true, prevents the driver from automatically spawning mongocryptd.如果为true,则阻止驱动程序自动生成mongocrypted
Default: false
mongocryptdSpawnPathThe full path to mongocryptd.通往mongocryptd的完整道路。
Default: Defaults to empty string and spawns from the system path.:默认为空字符串,并从系统路径派生。
Important

Start on Boot启动时启动

If possible, start mongocryptd on boot, rather than launching it on demand.如果可能的话,启动mongocrypted,而不是按需启动。

Examples实例

To view examples of how to configure your mongocryptd process, click the tab corresponding to the driver you are using in your application:要查看如何配置mongocrypted进程的示例,请单击与您在应用程序中使用的驱动程序相对应的选项卡:

C#GoJava (Sync)Node.jsPython

The following code-snippet sets the listening port configuration of mongocryptd:以下代码段设置mongocrypted的侦听端口配置:

autoEncryption: {
  ...
  extraOptions: {
    mongocryptdSpawnArgs: ["--port", "30000"],
    mongocryptdURI: 'mongodb://localhost:30000',
  }
Note

In the NodeJS driver, the mongocryptdURI must match the listening port.在NodeJS驱动程序中,mongocryptedURI必须与侦听端口匹配。

The following code-snippet sets the default timeout configuration of mongocryptd:以下代码片段设置mongocrypted的默认超时配置:

autoEncryption: {
  ...
  extraOptions: {
    mongocryptdSpawnArgs: ["--idleShutdownTimeoutSecs", "75"]
  }