Overview概述
Consider these limitations and restrictions before enabling Queryable Encryption. Some operations are unsupported, and others behave differently.在启用可查询加密之前,请考虑这些限制和约束。某些操作不受支持,而其他操作的行为则不同。
For compatibility limitations, please read Compatibility.有关兼容性限制,请阅读兼容性。
Security Guarantees安全保障
Warning
Queryable Encryption defends against data exfiltration, not against adversaries with persistent access to an environment, or those who can retrieve both database snapshots and accompanying query transcripts/logs.可查询加密可防止数据泄露,而不是针对对环境具有持久访问权限的对手,或者那些可以检索数据库快照和附带的查询记录/日志的对手。
When using Queryable Encryption, equality and range queries offer similar security against attackers with database snapshots. However, an attacker with access to both database snapshots and query information is beyond the scope of Queryable Encryption's security guarantees. 使用可查询加密时,相等和范围查询通过数据库快照提供了类似的安全性,可以抵御攻击者。但是,可以访问数据库快照和查询信息的攻击者超出了Queryable Encryption的安全保证范围。This is especially true for range queries, even if only a small number of query transcripts or logs are retrieved. See 6.1: Range Queries in the Persistent Model in the overview whitepaper for details.对于范围查询尤其如此,即使只检索到少量的查询转录或日志。有关详细信息,请参阅概述白皮书中的6.1:持久模型中的范围查询。
MongoDB Support LimitationsMongoDB支持限制
Enabling Queryable Encryption on a collection redacts fields from some diagnostic commands and omits some operations from the query log. This limits the data available to MongoDB support engineers, especially when analyzing query performance. To measure the impact of operations against encrypted collections, use a third party application performance monitoring tool to collect metrics.在集合上启用可查询加密会编辑某些诊断命令中的字段,并省略查询日志中的某些操作。这限制了MongoDB支持工程师可用的数据,特别是在分析查询性能时。要衡量操作对加密集合的影响,请使用第三方应用程序性能监控工具集合指标。
For details, see the Redaction section of this page.有关详细信息,请参阅本页的Redaction部分。
Supported Operations支持的操作
Queryable Encryption supports a subset of commands, query operators, update operators, aggregation stages, and aggregation expressions. For the list of supported operations, see Supported Operations for Queryable Encryption.可查询加密支持命令、查询运算符、更新运算符、聚合阶段和聚合表达式的子集。有关支持的操作列表,请参阅可查询加密的支持操作。
Manual Metadata Collection Compaction手动元数据集合压缩
Manually run metadata collection compaction when your metadata collections exceed 1 GB. Compaction decreases the size of the metadata collections associated with encrypted fields, and improves performance.当元数据集合超过1 GB时,手动运行元数据集合压缩。压缩减小了与加密字段关联的元数据集合的大小,并提高了性能。
Modifying the encryptedFieldsMap
Do not modify the encryptedFieldsMap passed to your MongoClient. Doing so can result in unexpected and incorrect behavior when querying.
Queryable Encryption encrypts the set of fields in the encryptedFieldsMap configuration that you pass to your MongoClient constructor. If you specify a formerly plaintext field in your encryptedFieldsMap configuration that exists in the collection documents, you can only query on that field for documents inserted after you updated your encryptedFieldsMap configuration.
For example, consider a database in which you have inserted documents with a plaintext streetAddress field. Adding this field to encryptedFieldsMap and performing subsequent inserts will insert the encrypted value of streetAddress into the database. The driver will send future queries for a specific streetAddress as BinData. As a result, the plaintext values in the original documents will never match future queries.
The _id Field
You cannot configure Queryable Encryption to encrypt the _id field because it relies on the value auto-generated by MongoDB.
Encrypted Field Names
You can't rename an encrypted field. For example, if you specify ssn as a field to encrypt, you can't $rename the field name to taxPayerID.
Modifying Queryable Fields
The query type you specify for a field when creating the collection in encryptedFieldsMap is immutable. You cannot enable new query types to an existing field, and you cannot change the existing query type.
Redaction
To improve security, Queryable Encryption redacts fields from some diagnostic commands on encrypted collections, and omits certain operations from the query log. An encrypted collection is any collection with the encryptedFields option.
Query Log and Database Profiler Redaction
The CRUD operations below are omitted from the slow operations query log and the Database Profiler system.profile collection when you run them on an encrypted collection.
aggregatecompactStructuredEncryptionDatacountdeletefindfindAndModifyinsertupdatedb.collection.bulkWrite()- The
cleanupStructuredEncryptionDatacommand
Command and Aggregation Stage Output Redaction
The collStats command and $collStats aggregation stage:
- Omit
"queryExecStats" - Omit
"latencyStats" - Redact
"WiredTiger", if present, to include only theurlfield.
The currentOp command and $currentOp aggregation stage:
- Omit all fields after
"command". - Redact
"command"to include only the first element,$comment, and$db.
The top command only returns the collection name of encrypted collections.
The $planCacheStats aggregation stage omits operations against encrypted collections, even though the operations are cached as normal.
Topology Support
- Replica sets and sharded clusters are supported
- Standalone deployments are not supported
- Secondary reads are not supported
Sharding
- Metadata collections must not be sharded
- Shard keys must not be encrypted fields
Collections
You cannot use Client-Side Field Level Encryption with Queryable Encryption on the same collection.
- Queryable Encryption does not support migration from collections encrypted with Client-Side Field Level Encryption. You must decrypt your documents and insert them one-by-one.
- Queryable Encryption does not support automatic migration from an unencrypted collection. You must insert the documents one-by-one.
- Queryable Encryption supports new collections only. You cannot add or remove Queryable Encryption to existing collections.
- You cannot rename a collection with encrypted fields.
You cannot specify
jsonSchematodb.createCollection()when creating a Queryable Encryption collection if thejsonSchemacontains theencryptkeyword.- You can specify both
encryptedFieldsandjsonSchematodb.createCollection()as long as your jsonSchema does not contain validation for encrypted fields.
- You can specify both
- Queryable Encryption does not support Views, Time Series Collections, or capped collection.
- Queryable Encryption does not support TTL Indexes or Unique Indexes.
- You cannot disable
jsonSchemavalidation. When a collection uses the
encryptedFieldsoption:- You cannot set
validationLeveltonone. - You cannot set
validationActiontowarn.
- You cannot set
Drop Collection
- Dropping collections from a
MongoClientthat is not configured for Queryable Encryption doesn't drop the associated metadata collections.mongodlogs a warning if you drop a collection with encrypted fields before dropping the metadata collections.
Tip
When dropping a collection with a MongoClient configured for Queryable Encryption, compatible drivers drop the associated metadata collections as well.
Create Collection
Always explicitly create any collections that use Queryable Encryption. Implicit collection creation doesn't create the necessary indexes and metadata collections, resulting in poor query performance.
Arrays
Queryable Encryption does not support automatic encryption on fields within an array of documents.可查询加密不支持对文档数组中的字段进行自动加密。
Views视图
Applications cannot rely on the automatic encryption validation to prevent unsupported queries against views on collections with encrypted fields.应用程序不能依赖自动加密验证来防止对具有加密字段的集合上的视图进行不受支持的查询。
Queries against views on collections containing values encrypted with Queryable Encryption may return unexpected or incorrect results if either the underlying view aggregation pipeline or the query references encrypted fields. If creating a view on a collection containing values encrypted with Queryable Encryption, avoid operating on encrypted fields to mitigate the risk of unexpected or incorrect results.
Collation排序规则
Queryable Encryption ignores user-specified collations or collection default collations. Encryption obscures the field value and prevents normal collation behavior. Collation-sensitive queries against encrypted fields may return unexpected or incorrect results.可查询加密忽略用户指定的排序规则或集合默认排序规则。加密会掩盖字段值并阻止正常的排序规则行为。对加密字段进行排序敏感的查询可能会返回意外或不正确的结果。
For more information on collations, see Collation Document.
Queryable Encryption-compatible drivers have a list of supported operations for automatic encryption. For unsupported read and write operations, the underlying support library cannot introspect the collection catalog to identify the default collation. Applications therefore cannot rely on the Queryable Encryption validation to prevent querying on encrypted fields with collation defaults.
Unique Indexes唯一索引
Unique indexes can't guarantee uniqueness if the index key specifies any encrypted fields.如果索引键指定了任何加密字段,则唯一索引无法保证唯一性。
Queryable Encryption always outputs a different encrypted value, even for the same input. The server considers each encrypted value unique, even though the decrypted value may not be. This means that even if a collection uses an index-enforced unique constraint on fields, the collection can still contain multiple documents with duplicate plaintext values for that field.可查询加密始终输出不同的加密值,即使对于相同的输入也是如此。服务器认为每个加密值都是唯一的,即使解密值可能不是。这意味着即使一个集合对字段使用索引强制的唯一约束,该集合仍然可以包含多个具有该字段重复明文值的文档。
Queryable Encryption compatible drivers configured for automatic encryption support some operations for automatic encryption. 配置为自动加密的可查询加密兼容驱动程序支持一些自动加密操作。For unsupported read and write operations, the underlying library can't introspect the index catalog to identify a given field as unique. Applications can't rely on automatic encryption validation to prevent unique constraint violations on randomly-encrypted fields.对于不支持的读写操作,底层库无法自检索引目录以将给定字段标识为唯一字段。应用程序不能依赖自动加密验证来防止随机加密字段上的唯一约束违规。