Database Manual / Reference / mongosh Methods / In-Use Encryption

KeyVault.getKeyByAltName() (mongosh method)

KeyVault.getKeyByAltName(keyAltName)

Gets all data encryption keys with the specified keyAltName.

Returns:	Document representing a matching data encryption key.

Compatibility

This command is available in deployments hosted in the following environments:

MongoDB Atlas: The fully managed service for MongoDB deployments in the cloud

MongoDB Enterprise: The subscription-based, self-managed version of MongoDB
MongoDB Community: The source-available, free-to-use, and self-managed version of MongoDB

Syntax

getKeyByAltName() has the following syntax:

keyVault = db.getMongo().getKeyVault()

keyVault.getKeyByAltName("keyAltName")

Behavior

Requires Configuring Client-Side Field Level Encryption on Database Connection

The mongosh ClientEncryption methods require a database connection with in-use encryption enabled. If the current database connection was not initiated with in-use encryption enabled, either:

Use the Mongo() constructor from the mongosh to establish a connection with the required in-use encryption options. The Mongo() method supports the following Key Management Service (KMS) providers for Customer Master Key (CMK) management:
or
Use the mongosh command line options to establish a connection with the required options. The command line options only support the Amazon Web Services KMS provider for CMK management.

Example

The following example uses a locally managed KMS for the client-side field level encryption configuration.

Start mongosh

Start the mongosh client.

mongosh --nodb

Generate Your Key

To configure client-side field level encryption for a locally managed key, generate a base64-encoded 96-byte string with no line breaks.

const TEST_LOCAL_KEY = require("crypto").randomBytes(96).toString("base64")

Create the Client-Side Field Level Encryption Options

Create the client-side field level encryption options using the generated local key string:

 var autoEncryptionOpts = {
   "keyVaultNamespace" : "encryption.__dataKeys",
   "kmsProviders" : {
     "local" : {
       "key" : BinData(0, TEST_LOCAL_KEY)
     }
   }
 }

Create Your Encrypted Client

Use the Mongo() constructor with the client-side field level encryption options configured to create a database connection. Replace the mongodb://myMongo.example.net URI with the connection string URI of the target cluster.

encryptedClient = Mongo(
  "mongodb://myMongo.example.net:27017/?replSetName=myMongo",
   autoEncryptionOpts
)

Retrieve the KeyVault object and use the KeyVault.getKeyByAltName() method to retrieve the data encryption key whose keyAltNames array includes the specified key alternate name:

keyVault.getKeyByAltName("data-encryption-key")

getKeyByAltName() returns the following data encryption key:

{
    "_id" : UUID("b4b41b33-5c97-412e-a02b-743498346079"),
    "keyMaterial" : BinData(0,"PXRsLOAYxhzTS/mFQAI8486da7BwZgqA91UI7NKz/T/AjB0uJZxTvhvmQQsKbCJYsWVS/cp5Rqy/FUX2zZwxJOJmI3rosPhzV0OI5y1cuXhAlLWlj03CnTcOSRzE/YIrsCjMB0/NyiZ7MRWUYzLAEQnE30d947XCiiHIb8a0kt2SD0so8vZvSuP2n0Vtz4NYqnzF0CkhZSWFa2e2yA=="),
    "creationDate" : ISODate("2019-08-12T21:21:30.569Z"),
    "updateDate" : ISODate("2019-08-12T21:21:30.569Z"),
    "status" : 0,
    "version" : Long(0),
    "masterKey" : {
        "provider" : "local"
    },
    "keyAltNames" : [
        "data-encryption-key"
    ]
}

Back

KeyVault.getKeys

KeyVault.removeKeyAlternateName