Database Manual / Security / Encryption / In-Use Encryption / Queryable Encryption / Reference

MongoClient Options for Queryable EncryptionMongoClient可查询加密选项

Queryable Encryption equality and range queries are fully supported in production. Prefix, suffix, and substring queries are only available in public preview in MongoDB 8.2. Do not enable these query types in production. GA functionality of prefix, suffix and substring query types will be incompatible with the preview feature.可查询的加密相等性和范围查询在生产环境中得到了完全支持。前缀、后缀和子字符串查询仅在MongoDB 8.2的公共预览中可用。不要在生产环境中启用这些查询类型。前缀、后缀和子字符串查询类型的GA功能将与预览功能不兼容。

Overview概述

~~On this page, you can learn about the Queryable Encryption-specific configuration options for MongoClient instances.~~在此页面上，您可以了解MongoClient实例的可查询加密特定配置选项。

Automatic Encryption Options自动加密选项

MongoDB Shell

~~The following table describes the structure of an AutoEncryptionOptions object:~~下表描述了AutoEncryptionOptions对象的结构：

Property	Data Type	Required?	~~Description~~描述
`keyVaultNamespace`	`String`	Yes	The full namespace of the Key Vault collection.
`kmsProviders`	`Object`	Yes	The Key Management System (KMS) used by Queryable Encryption for managing your Customer Master Keys (CMKs). To learn more about `kmsProviders` objects, see KMS Providers. To learn more about Customer Master Keys, see Encryption Keys and Key Vaults.
`bypassAutoEncryption`	`Boolean`	No	Specify `true` to bypass automatic encryption rules and perform explicit (manual) per-field encryption.
`bypassQueryAnalysis`	`Boolean`	No	Disables automatic analysis of outgoing commands. Specify `true` to use explicit encryption without the Automatic Encryption Shared Library.
`encryptedFieldsMap`	`Object`	No	A schema that specifies which fields to automatically encrypt and the types of queries allowed on those fields. To learn how to construct an encryption schema, see Encrypted Fields and Enabled Queries.
`extraOptions`	`Object`	No	Configuration options for the encryption library. To use the Automatic Encryption Shared Library instead of `mongocryptd`, specify the full absolute or relative file path to the library file in the `cryptSharedLibPath` property of this object. If the driver can't load the Automatic Encryption Shared Library from this path, creating the `MongoClient` will fail.
`keyVaultClient`	`MongoClient`	No	Specifies the `MongoClient` that should connect to the MongoDB instance hosting your Key Vault collection. If you omit this option, the driver uses the current `MongoClient` instance. To learn more about Key Vault collections, see Key Vault Collections.
`tlsOptions`	`Object`	No	The TLS options to use when connecting to the KMS provider.

The following table describes the properties in an AutoEncryptionOptions object:

Property	Data Type	Required?	~~Description~~描述
`KeyVaultNamespace`	`CollectionNamespace`	Yes	The full namespace of the Key Vault collection.
`KmsProviders`	`IReadOnlyDictionary`	Yes	The Key Management System (KMS) used by Queryable Encryption for managing your Customer Master Keys (CMKs). To learn more about `KmsProviders` objects, see KMS Providers. To learn more about Customer Master Keys, see Encryption Keys and Key Vaults.
`BypassAutoEncryption`	`Boolean`	No	Specify `true` to bypass automatic encryption rules and perform explicit (manual) per-field encryption.
`BypassQueryAnalysis`	`Boolean`	No	Disables automatic analysis of outgoing commands. Set this property to `true` to use explicit encryption without the Automatic Encryption Shared Library.
`EncryptedFieldsMap`	`IReadOnlyDictionary`	No	A schema that specifies which fields to automatically encrypt and the types of queries allowed on those fields. To learn how to construct an encryption schema, see Encrypted Fields and Enabled Queries.
`ExtraOptions`	`IReadOnlyDictionary`	No	Configuration options for the encryption library. To use the Automatic Encryption Shared Library instead of `mongocryptd`, specify the full absolute or relative file path to the library file in the `cryptSharedLibPath` property. If the driver can't load the Automatic Encryption Shared Library from this path, creating the `MongoClient` will fail.
`KeyVaultClient`	`IMongoClient`	No	Specifies the `MongoClient` that should connect to the MongoDB instance hosting your Key Vault collection. If you omit this option, the driver uses the current `MongoClient` instance. To learn more about Key Vault collections, see Key Vault Collections.
`TlsOptions`	`IReadOnlyDictionary`	No	The TLS options to use when connecting to the KMS provider.

Note

API Documentation

For more information on these automatic encryption options, see the API documentation for the AutoEncryptionOptions class.

The following table describes the options in an AutoEncryptionOptions object:

~~Option~~选项	Data Type	Required?	~~Description~~描述
`KeyVaultNamespace`	`String`	Yes	The full namespace of the Key Vault collection.
`KmsProviders`	`map[string]map[string]interface{}`	Yes	The Key Management System (KMS) used by Queryable Encryption for managing your Customer Master Keys (CMKs). To learn more about `KmsProviders` objects, see KMS Providers. To learn more about Customer Master Keys, see Encryption Keys and Key Vaults.
`BypassAutoEncryption`	`*bool`	No	Specify `true` to bypass automatic encryption rules and perform explicit (manual) per-field encryption.
`BypassQueryAnalysis`	`*bool`	No	Disables automatic analysis of outgoing commands. Specify `true` to use explicit encryption without the Automatic Encryption Shared Library.
`EncryptedFieldsMap`	`map[string]interface{}`	No	A schema that specifies which fields to automatically encrypt and the types of queries allowed on those fields. To learn how to construct an encryption schema, see Encrypted Fields and Enabled Queries.
`ExtraOptions`	`map[string]interface{}`	No	Configuration options for the encryption library. To use the Automatic Encryption Shared Library instead of `mongocryptd`, specify the full absolute or relative file path to the library file in the `cryptSharedLibPath` property. If the driver can't load the Automatic Encryption Shared Library from this path, creating the `MongoClient` will fail.
`KeyVaultClientOptions`	`*ClientOptions`	No	Options for a new internal `mongo.Client` to connect to the MongoDB instance hosting your Key Vault collection. If you omit this option, the driver uses the current `MongoClient` instance. To learn more about Key Vault collections, see Key Vault Collections.
`TlsConfig`	`map[string]*tls.Config`	No	The TLS options to use when connecting to the KMS provider.

Note

API Documentation

For more information on these automatic encryption options, see the API documentation for the AutoEncryptionOptions type.

Java(Sync)

The following table describes the methods available on the AutoEncryptionSettings builder:

Method	Data Type	Required?	~~Description~~描述
`keyVaultNamespace`	`String`	Yes	The full namespace of the Key Vault collection.
`kmsProviders`	`Map`	Yes	The Key Management System (KMS) used by Queryable Encryption for managing your Customer Master Keys (CMKs). To learn more about `kmsProviders` objects, see KMS Providers. To learn more about Customer Master Keys, see Encryption Keys and Key Vaults.
`bypassAutoEncryption`	`Boolean`	No	Specify `true` to bypass automatic encryption rules and perform explicit (manual) per-field encryption.
`bypassQueryAnalysis`	`Boolean`	No	Disables automatic analysis of outgoing commands. Specify `true` to use explicit encryption without the Automatic Encryption Shared Library.
`encryptedFieldsMap`	`Map`	No	A schema that specifies which fields to automatically encrypt and the types of queries allowed on those fields. To learn how to construct an encryption schema, see Encrypted Fields and Enabled Queries.
`extraOptions`	`Map`	No	Configuration options for the encryption library. To use the Automatic Encryption Shared Library instead of `mongocryptd`, specify the full absolute or relative file path to the library file in the `cryptSharedLibPath` property.
`keyVaultMongoClientSettings`	`MongoClientSettings`	No	Settings for a new `MongoClient` instance to connect to the MongoDB instance hosting your Key Vault collection. If you omit this option, the driver uses the current `MongoClient` instance. To learn more about Key Vault collections, see Key Vault Collections.
`kmsProviderPropertySuppliers`	`Map`	No	Similar to the `kmsProviders()` method, but configures a `Supplier` for each property instead.
`kmsProviderSslContextMap`	`Map`	No	The SSL context to use for authentication.

Note

API Documentation

For more information on these automatic encryption options, see the API documentation for the AutoEncryptionSettings.Builder class.

Node.js

The following table describes the structure of an AutoEncryptionOptions object:

Property	Data Type	Required?	~~Description~~描述
`keyVaultNamespace`	`String`	Yes	The full namespace of the Key Vault collection.
`kmsProviders`	`Object`	Yes	The Key Management System (KMS) used by Queryable Encryption for managing your Customer Master Keys (CMKs). To learn more about `kmsProviders` objects, see KMS Providers. To learn more about Customer Master Keys, see Encryption Keys and Key Vaults.
`bypassAutoEncryption`	`Boolean`	No	Specify `true` to bypass automatic encryption rules and perform explicit (manual) per-field encryption.
`bypassQueryAnalysis`	`Boolean`	No	Disables automatic analysis of outgoing commands. Specify `true` to use explicit encryption without the Automatic Encryption Shared Library. Defaults to `false` if not specified.
`encryptedFieldsMap`	`Object`	No	A schema that specifies which fields to automatically encrypt and the types of queries allowed on those fields. To learn how to construct an encryption schema, see Encrypted Fields and Enabled Queries.
`extraOptions`	`Object`	No	Configuration options for the encryption library. To use the Automatic Encryption Shared Library instead of `mongocryptd`, specify the full absolute or relative file path to the library file in the `cryptSharedLibPath` property of this object. If the driver can't load the Automatic Encryption Shared Library from this path, creating the `MongoClient` will fail.
`keyVaultClient`	`MongoClient`	No	Specifies the `MongoClient` that should connect to the MongoDB instance hosting your Key Vault collection. If you omit this option, the driver uses the current `MongoClient` instance. To learn more about Key Vault collections, see Key Vault Collections.
`tlsOptions`	`Object`	No	The TLS options to use when connecting to the KMS provider.

Note

API Documentation

For more information on these automatic encryption options, see the API documentation for the AutoEncryptionOptions interface.

Python

The following table describes the parameters of the AutoEncryptionOpts class:

~~Parameter~~参数	Data Type	Required?	~~Description~~描述
`key_vault_namespace`	`String`	Yes	The full namespace of the Key Vault collection.
`kms_providers`	`Mapping[string, Any]`	Yes	The Key Management System (KMS) used by Queryable Encryption for managing your Customer Master Keys (CMKs). To learn more about `kms_Providers` maps, see KMS Providers. To learn more about Customer Master Keys, see Encryption Keys and Key Vaults.
`bypass_auto_encryption`	`Boolean`	No	Specify `True` to bypass automatic encryption rules and perform explicit (manual) per-field encryption.
`bypass_query_analysis`	`Boolean`	No	Disables automatic analysis of outgoing commands. Specify `True` to use explicit encryption without the Automatic Encryption Shared Library.
`encrypted_fields_map`	`Mapping`	No	A schema that specifies which fields to automatically encrypt and the types of queries allowed on those fields. To learn how to construct an encryption schema, see Encrypted Fields and Enabled Queries.
`crypt_shared_lib_path`	`String`	No	Specify the full absolute or relative file path to the library file in the this parameter to use the Automatic Encryption Shared Library instead of `mongocryptd`, If the driver can't load the Automatic Encryption Shared Library from this path, it raises an error.
`crypt_shared_lib_required`	`Boolean`	No	If you specify `True`, the driver raises an error if `libmongocrypt` can't load the Automatic Encryption Shared Library.
`key_vault_client`	`MongoClient`	No	Specifies the `MongoClient` that should connect to the MongoDB instance hosting your Key Vault collection. If you omit this option, the driver uses the current `MongoClient` instance. To learn more about Key Vault collections, see Key Vault Collections.
`kms_tls_options`	`Mapping[string, Any]`	No	The TLS options to use when connecting to the KMS provider.
`mongocryptd_uri`	`String`	No	The MongoDB URI used to connect to the local `mongocryptd` process, if using `mongocryptd` for encryption.
`mongocryptd_bypass_spawn`	`Boolean`	No	If you specify `True` for this parameter, the encrypted `MongoClient` does not attempt to spawn the `mongocryptd` process, if using `mongocryptd` for encryption.
`mongocryptd_spawn_path`	`String`	No	Used for spawning the `mongocryptd` process, if using `mongocryptd` for encryption.
`mongocryptd_spawn_args`	`String`	No	A list of string arguments to use when spawning the `mongocryptd` process, if using `mongocryptd` for encryption.

Note

API DocumentationAPI 文档

~~For more information on these automatic encryption options, see the API documentation for the AutoEncryptionOpts class.~~有关这些自动加密选项的详细信息，请参阅AutoEncryptionOpts类的API文档。

Back

Supported Operations

~~Client-Side Field Level Encryption~~客户端字段级加密