Database Manual / Security / Encryption / In-Use Encryption / Comparing Approaches

Queryable Encryption Limitations可查询的加密限制

Queryable Encryption equality and range queries are fully supported in production. Prefix, suffix, and substring queries are only available in public preview in MongoDB 8.2. Do not enable these query types in production. GA functionality of prefix, suffix and substring query types will be incompatible with the preview feature.可查询的加密相等性和范围查询在生产环境中得到了完全支持。前缀、后缀和子字符串查询仅在MongoDB 8.2的公共预览中可用。不要在生产环境中启用这些查询类型。前缀、后缀和子字符串查询类型的GA功能将与预览功能不兼容。

Overview概述

Consider these limitations and restrictions before enabling Queryable Encryption. Some operations are unsupported, and others behave differently.在启用可查询加密之前,请考虑这些限制和约束。某些操作不受支持,而其他操作的行为则不同。

For compatibility limitations, please read Compatibility.有关兼容性限制,请阅读兼容性

Security Guarantees安全保障

Warning

Queryable Encryption defends against data exfiltration, not against adversaries with persistent access to an environment, or those who can retrieve both database snapshots and accompanying query transcripts/logs.可查询加密可防止数据泄露,而不是针对对环境具有持久访问权限的对手,或者那些可以检索数据库快照和附带的查询记录/日志的对手。

When using Queryable Encryption, equality and range queries offer similar security against attackers with database snapshots. However, an attacker with access to both database snapshots and query information is beyond the scope of Queryable Encryption's security guarantees. 使用可查询加密时,相等和范围查询通过数据库快照提供了类似的安全性,可以抵御攻击者。但是,可以访问数据库快照和查询信息的攻击者超出了Queryable Encryption的安全保证范围。This is especially true for range queries, even if only a small number of query transcripts or logs are retrieved. See 6.1: Range Queries in the Persistent Model in the overview whitepaper for details.对于范围查询尤其如此,即使只检索到少量的查询转录或日志。有关详细信息,请参阅概述白皮书中的6.1:持久模型中的范围查询

MongoDB Support LimitationsMongoDB支持限制

Enabling Queryable Encryption on a collection redacts fields from some diagnostic commands and omits some operations from the query log. This limits the data available to MongoDB support engineers, especially when analyzing query performance. To measure the impact of operations against encrypted collections, use a third party application performance monitoring tool to collect metrics.在集合上启用可查询加密会编辑某些诊断命令中的字段,并省略查询日志中的某些操作。这限制了MongoDB支持工程师可用的数据,特别是在分析查询性能时。要衡量操作对加密集合的影响,请使用第三方应用程序性能监控工具集合指标。

For details, see the Redaction section of this page.有关详细信息,请参阅本页的Redaction部分。

Supported Operations支持的操作

Queryable Encryption supports a subset of commands, query operators, update operators, aggregation stages, and aggregation expressions. For the list of supported operations, see Supported Operations for Queryable Encryption.可查询加密支持命令、查询运算符、更新运算符、聚合阶段和聚合表达式的子集。有关支持的操作列表,请参阅可查询加密的支持操作

Manual Metadata Collection Compaction手动元数据集合压缩

Manually run metadata collection compaction when your metadata collections exceed 1 GB. Compaction decreases the size of the metadata collections associated with encrypted fields, and improves performance.当元数据集合超过1 GB时,手动运行元数据集合压缩。压缩减小了与加密字段关联的元数据集合的大小,并提高了性能。

Modifying the 修改encryptedFieldsMap

Do not modify the encryptedFieldsMap passed to your MongoClient. Doing so can result in unexpected and incorrect behavior when querying.不要修改传递给MongoClientencryptedFieldsMap。这样做可能会导致查询时出现意外和不正确的行为。

Queryable Encryption encrypts the set of fields in the encryptedFieldsMap configuration that you pass to your MongoClient constructor. 可查询加密对您传递给MongoClient构造函数的encryptedFieldsMap配置中的字段集进行加密。If you specify a formerly plaintext field in your encryptedFieldsMap configuration that exists in the collection documents, you can only query on that field for documents inserted after you updated your encryptedFieldsMap configuration.如果在集合文档中存在的encryptedFieldsMap配置中指定了以前的纯文本字段,则只能在该字段上查询更新encryptedFieldsMap配置后插入的文档。

For example, consider a database in which you have inserted documents with a plaintext streetAddress field. 例如,考虑一个数据库,其中插入了带有纯文本streetAddress字段的文档。Adding this field to encryptedFieldsMap and performing subsequent inserts will insert the encrypted value of streetAddress into the database. 将此字段添加到encryptedFieldsMap并执行后续插入操作,将把streetAddress的加密值插入数据库。The driver will send future queries for a specific streetAddress as BinData. 驱动程序将以BinData的形式发送未来对特定streetAddress的查询。As a result, the plaintext values in the original documents will never match future queries.因此,原始文档中的明文值永远不会与未来的查询匹配。

The _id Field_id字段

You cannot configure Queryable Encryption to encrypt the _id field because it relies on the value auto-generated by MongoDB.您无法配置可查询加密来加密_id字段,因为它依赖于MongoDB自动生成的值。

Encrypted Field Names加密字段名

You can't rename an encrypted field. For example, if you specify ssn as a field to encrypt, you can't $rename the field name to taxPayerID.您不能重命名加密字段。例如,如果将ssn指定为要加密的字段,则不能将字段名$rename(重命名)为taxPayerID

Modifying Queryable Fields修改可查询字段

The query type you specify for a field when creating the collection in encryptedFieldsMap is immutable. You cannot enable new query types to an existing field, and you cannot change the existing query type.encryptedFieldsMap中创建集合时为字段指定的查询类型是不可变的。您不能为现有字段启用新的查询类型,也不能更改现有的查询类型。

Redaction修订

To improve security, Queryable Encryption redacts fields from some diagnostic commands on encrypted collections, and omits certain operations from the query log. An encrypted collection is any collection with the encryptedFields option.为了提高安全性,可查询加密会编辑加密集合上某些诊断命令的字段,并从查询日志中省略某些操作。加密集合是指具有encryptedFields选项的任何集合。

Query Log and Database Profiler Redaction查询日志和数据库探查器修改

The CRUD operations below are omitted from the slow operations query log and the Database Profiler system.profile collection when you run them on an encrypted collection.当您在加密集合上运行下面的CRUD操作时,慢速操作查询日志和数据库分析器system.profile集合中会省略这些操作。

Command and Aggregation Stage Output Redaction命令和聚合阶段输出修改

The collStats command and $collStats aggregation stage:collStats命令和$collStats聚合阶段:

  • Omit 省略"queryExecStats"
  • Omit 省略"latencyStats"
  • Redact "WiredTiger", if present, to include only the url field."WiredTiger"(如果存在)修改为仅包含url字段。

The currentOp command and $currentOp aggregation stage:currentOp命令和$currentOp聚合阶段:

  • Omit all fields after "command".省略"command"后的所有字段。
  • Redact "command" to include only the first element, $comment, and $db."command"修改为仅包含第一个元素$comment$db

The top command only returns the collection name of encrypted collections.top命令仅返回加密集合的集合名称。

The $planCacheStats aggregation stage omits operations against encrypted collections, even though the operations are cached as normal.$planCacheStats聚合阶段省略了对加密集合的操作,即使这些操作是正常缓存的。

Topology Support拓扑支持

  • Replica sets and sharded clusters are supported支持副本集和分片集群
  • Standalone deployments are not supported不支持独立部署
  • Secondary reads are not supported不支持二次读取

Sharding分片

  • Metadata collections must not be sharded元数据集合不得分片
  • Shard keys must not be encrypted fields分片键不能是加密字段

Collections集合

  • You cannot use Client-Side Field Level Encryption with Queryable Encryption on the same collection.不能在同一集合上使用具有可查询加密的客户端字段级加密。

    • Queryable Encryption does not support migration from collections encrypted with Client-Side Field Level Encryption. You must decrypt your documents and insert them one-by-one.可查询加密不支持从使用客户端字段级加密加密的集合迁移。您必须解密文档并逐一插入。
    • Queryable Encryption does not support automatic migration from an unencrypted collection. You must insert the documents one-by-one.可查询加密不支持从未加密的集合自动迁移。你必须一个接一个地插入文件。
  • Queryable Encryption supports new collections only. You cannot add or remove Queryable Encryption to existing collections.可查询加密仅支持新集合。您无法向现有集合添加或删除可查询加密。
  • You cannot rename a collection with encrypted fields.您无法重命名包含加密字段的集合。

  • You cannot specify jsonSchema to db.createCollection() when creating a Queryable Encryption collection if the jsonSchema contains the encrypt keyword.如果jsonSchema包含encrypt键,则在创建可查询加密集合时,不能将jsonSchema指定给db.createCollection()

    • You can specify both encryptedFields and jsonSchema to db.createCollection() as long as your jsonSchema does not contain validation for encrypted fields.只要jsonSchema不包含对加密字段的验证,您就可以将encryptedFieldsjsonSchema都指定给db.createCollection()
  • Queryable Encryption does not support Views, Time Series Collections, or capped collection.可查询加密不支持视图时间序列集合封顶集合
  • Queryable Encryption does not support TTL Indexes or Unique Indexes.可查询加密不支持TTL索引唯一索引
  • You cannot disable jsonSchema validation.您无法禁用jsonSchema验证。

  • When a collection uses the encryptedFields option:当集合使用encryptedFields选项时:

    • You cannot set validationLevel to none.您不能将validationLevel设置为none
    • You cannot set validationAction to warn.您无法将validationAction设置为warn

Drop Collection丢弃集合

  • Dropping collections from a MongoClient that is not configured for Queryable Encryption doesn't drop the associated metadata collections. mongod logs a warning if you drop a collection with encrypted fields before dropping the metadata collections.从未配置为可查询加密的MongoClient中删除集合不会删除关联的元数据集合。如果在删除元数据集合之前删除了包含加密字段的集合,mongod会记录一条警告。

Tip

When dropping a collection with a MongoClient configured for Queryable Encryption, compatible drivers drop the associated metadata collections as well.当删除配置了可查询加密的MongoClient的集合时,兼容的驱动程序也会删除相关的元数据集合。

Create Collection创建集合

Always explicitly create any collections that use Queryable Encryption. Implicit collection creation doesn't create the necessary indexes and metadata collections, resulting in poor query performance.始终显式创建使用可查询加密的任何集合。隐式集合创建不会创建必要的索引和元数据集合,从而导致查询性能不佳。

Arrays数组

Queryable Encryption does not support automatic encryption on fields within an array of documents.可查询加密不支持对文档数组中的字段进行自动加密。

Views视图

Applications cannot rely on the automatic encryption validation to prevent unsupported queries against views on collections with encrypted fields.应用程序不能依赖自动加密验证来防止对具有加密字段的集合上的视图进行不受支持的查询。

Queries against views on collections containing values encrypted with Queryable Encryption may return unexpected or incorrect results if either the underlying view aggregation pipeline or the query references encrypted fields. 如果底层视图聚合管道或查询引用了加密字段,则对包含使用可查询加密加密的值的集合上的视图的查询可能会返回意外或不正确的结果。If creating a view on a collection containing values encrypted with Queryable Encryption, avoid operating on encrypted fields to mitigate the risk of unexpected or incorrect results.如果在包含使用可查询加密加密的值的集合上创建视图,请避免对加密字段进行操作,以降低意外或不正确结果的风险。

For more information on views, see Views.有关视图的详细信息,请参阅视图

Collation排序规则

Queryable Encryption ignores user-specified collations or collection default collations. Encryption obscures the field value and prevents normal collation behavior. Collation-sensitive queries against encrypted fields may return unexpected or incorrect results.可查询加密忽略用户指定的排序规则或集合默认排序规则。加密会掩盖字段值并阻止正常的排序规则行为。对加密字段进行排序敏感的查询可能会返回意外或不正确的结果。

For more information on collations, see Collation Document.有关排序规则的更多信息,请参阅排序规则文档

Queryable Encryption-compatible drivers have a list of supported operations for automatic encryption. 可查询加密兼容驱动程序具有自动加密支持的操作列表。For unsupported read and write operations, the underlying support library cannot introspect the collection catalog to identify the default collation. Applications therefore cannot rely on the Queryable Encryption validation to prevent querying on encrypted fields with collation defaults.对于不受支持的读写操作,基础支持库无法自检集合目录以识别默认排序规则。因此,应用程序不能依赖可查询加密验证来阻止对具有排序规则默认值的加密字段进行查询。

Unique Indexes唯一索引

Unique indexes can't guarantee uniqueness if the index key specifies any encrypted fields.如果索引键指定了任何加密字段,则唯一索引无法保证唯一性。

Queryable Encryption always outputs a different encrypted value, even for the same input. The server considers each encrypted value unique, even though the decrypted value may not be. This means that even if a collection uses an index-enforced unique constraint on fields, the collection can still contain multiple documents with duplicate plaintext values for that field.可查询加密始终输出不同的加密值,即使对于相同的输入也是如此。服务器认为每个加密值都是唯一的,即使解密值可能不是。这意味着即使一个集合对字段使用索引强制的唯一约束,该集合仍然可以包含多个具有该字段重复明文值的文档。

Queryable Encryption compatible drivers configured for automatic encryption support some operations for automatic encryption. 配置为自动加密的可查询加密兼容驱动程序支持一些自动加密操作For unsupported read and write operations, the underlying library can't introspect the index catalog to identify a given field as unique. Applications can't rely on automatic encryption validation to prevent unique constraint violations on randomly-encrypted fields.对于不支持的读写操作,底层库无法自检索引目录以将给定字段标识为唯一字段。应用程序不能依赖自动加密验证来防止随机加密字段上的唯一约束违规。