New in version 7.0.
ClientEncryption.createEncryptedCollection(dbName, collName, clientEncOpts)ClientEncryption.createEncryptedCollectioncreates an encrypted collection specified bycollNameon the database specified bydbName.
Compatibility
This command is available in deployments hosted in the following environments:
- MongoDB Atlas: The fully managed service for MongoDB deployments in the cloud
- MongoDB Enterprise: The subscription-based, self-managed version of MongoDB
- MongoDB Community: The source-available, free-to-use, and self-managed version of MongoDB
Syntax
ClientEncryption.createEncryptedCollection has the following syntax:
clientEncryption = db.getMongo().getClientEncryption()
clientEncryption.createEncryptedCollection(
dbName,
collName,
{
provider: kmsProviderName,
createCollectionOptions: encryptedFieldsMap,
masterKey: customerMasterKeyCredentials
}
)Command Fields
createEncryptedCollection takes these fields:
| Field | Type | Necessity | Description |
|---|---|---|---|
| string | Required | Name of the database to encrypt. |
| string | Required | Name of the collection to encrypt. |
| document | Required | Options to configure the encrypted collection. |
| string | Required | KMS you are using to store your Customer Master Key. |
| document | Required | Fields to encrypt. See Steps for details on how to configure the |
| document | Optional | How to get the master key when the KMS Provider is AWS, GCP, or Azure. |
Behavior
The mongosh client-side field level and queryable encryption methods require a database connection configured for client-side encryption. If the current database connection was not initiated with client-side field level encryption enabled, either:
Use the
Mongo()constructor from themongoshto establish a connection with the required client-side field level encryption options. TheMongo()method supports the following Key Management Service (KMS) providers for Customer Master Key (CMK) management:
or
- Use the
mongoshcommand line options to establish a connection with the required options. The command line options only support the Amazon Web Services KMS provider for CMK management.
Example
The following example uses a locally managed KMS for the Queryable Encryption configuration.
Create Your Encrypted Connection
Start mongosh
Run:
mongosh --nodb--nodbmeans don't connect to a database.Generate a Key String
Generate a base 64 96-byte string:
const TEST_LOCAL_KEY = require("crypto").randomBytes(96).toString("base64")Create an Encryption Options Object
To create a client-side field level encryption options object, use the
TEST_LOCAL_KEYstring from the previous step:var autoEncryptionOpts = {
"keyVaultNamespace" : "encryption.__dataKeys",
"kmsProviders" : {
"local" : {"key" : BinData(0, TEST_LOCAL_KEY)
}
}
}Create an Encrypted Client Object
To create an encrypted client object, use the
Mongo()constructor. Replace themongodb://myMongo.example.netURI with the connection string URI for the target cluster. For example:encryptedClient = Mongo("mongodb://myMongo.example.net:27017/?replSetName=myMongo",
autoEncryptionOpts
)23Create Your Encrypted Collection
Create an encrypted
enc.userscollection:clientEncryption = encryptedClient.getClientEncryption();
var result = clientEncryption.createEncryptedCollection(
"enc",
"users",
{
provider: "local",
createCollectionOptions: encryptedFieldsMap,
masterKey: {} // masterKey is optional when provider is local
}
)4Check Your Result Object
createEncryptedCollectionreturns a large result object with many fields. Check the value ofresult.collectionto confirm the collection was created in the desired location.enc> result.collection
enc.usersLearn More
- For complete documentation on initiating MongoDB connections with client-side field level encryption enabled, see
Mongo(). - For a complete example of how to create and query an encrypted collection, see Queryable Encryption Quick Start.