In-Use Encryption
In-Use Encryption consists of two features:
Installation
Using In-Use Encryption in the C driver requires the dependency libmongocrypt. See the MongoDB Manual for libmongocrypt installation instructions.
Once libmongocrypt is installed, configure the C driver with -DENABLE_CLIENT_SIDE_ENCRYPTION=ON
to require In-Use Encryption be enabled.
$ cd mongo-c-driver $ mkdir cmake-build && cd cmake-build $ cmake -DENABLE_AUTOMATIC_INIT_AND_CLEANUP=OFF -DENABLE_CLIENT_SIDE_ENCRYPTION=ON .. $ cmake --build . --target install
API
mongoc_client_encryption_t is used for explicit encryption and key management. mongoc_client_enable_auto_encryption and mongoc_client_pool_enable_auto_encryption is used to enable automatic encryption.
The Queryable Encryption and CSFLE features share much of the same API with some exceptions.
The supported algorithms documented in mongoc_client_encryption_encrypt_opts_set_algorithm do not apply to both features.
mongoc_auto_encryption_opts_set_encrypted_fields_map only applies to Queryable Encryption.
mongoc_auto_encryption_opts_set_schema_map only applies to CSFLE.
Query Analysis
To support the automatic encryption feature, one of the following dependencies are required:
The
mongocryptdexecutable. See the MongoDB Manual documentation: Install and Configure mongocryptdThe
crypt_sharedlibrary. See the MongoDB Manual documentation: Automatic Encryption Shared Library
A mongoc_client_t or mongoc_client_pool_t configured with auto encryption will automatically
try to load the crypt_shared library. If loading the crypt_shared library fails, the mongoc_client_t
or mongoc_client_pool_t will try to spawn the mongocryptd process from the application's PATH.
To configure use of crypt_shared and mongocryptd see mongoc_auto_encryption_opts_set_extra.