Docs Menu
Docs Home
/
MongoDB Manual
/ / /

KeyVault.deleteKey()

On this page

  • Behavior
  • Example
KeyVault.deleteKey(UUID)

Deletes a data encryption key with the specified UUID from the key vault associated to the database connection.

deleteKey() has the following syntax:

keyVault = db.getMongo().getKeyVault()
keyVault.deleteKey(UUID("<UUID String>"))

The UUID is a BSON binary data object with subtype 4.

Returns:A document indicating the number of deleted keys.

The mongosh client-side field level encryption methods require a database connection with client-side field level encryption enabled. If the current database connection was not initiated with client-side field level encryption enabled, either:

The following example is intended for rapid evaluation of client-side field level encryption. For specific examples of using KeyVault.deleteKey() with each supported KMS provider, see Delete a Data Encryption Key.

To configure client-side field level encryption for a locally managed key:

  • generate a base64-encoded 96-byte string with no line breaks

  • use mongosh to load the key

export TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")
mongosh --nodb

Create the client-side field level encryption object using the generated local key string:

var autoEncryptionOpts = {
"keyVaultNamespace" : "encryption.__dataKeys",
"kmsProviders" : {
"local" : {
"key" : BinData(0, process.env["TEST_LOCAL_KEY"])
}
}
}

Use the Mongo() constructor with the client-side field level encryption options configured to create a database connection. Replace the mongodb://myMongo.example.net URI with the connection string URI of the target cluster.

encryptedClient = Mongo(
"mongodb://myMongo.example.net:27017/?replSetName=myMongo",
autoEncryptionOpts
)

Retrieve the KeyVault object and use the KeyVault.deleteKey() method to delete the data encryption key with matching UUID:

keyVault = encryptedClient.getKeyVault()
keyVault.deleteKey(UUID("b4b41b33-5c97-412e-a02b-743498346079"))

If successful, deleteKey() returns output similar to the following:

{ "acknowledged" : true, "deletedCount" : 1 }

Tip

See also:

Back

KeyVault.createKey

On this page