KeyVault.getKey()
New in version 4.2.
KeyVault.getKey(UUID)
Gets a data encryption key with the specified
UUID
. The data encryption key must exist in the key vault associated to the database connection.getKey()
has the following syntax:keyVault = db.getMongo().getKeyVault() keyVault.getKey(UUID("<UUID String>")) The UUID is a BSON
binary data
object with subtype4
.Returns: Document representing a matching data encryption key. Returns nothing if no key in the key vault has the specified
UUID
.
Behavior
Requires Configuring Client-Side Field Level Encryption on Database Connection
The mongo
client-side field level encryption methods
require a database connection with client-side field level encryption
enabled. If the current database connection was not initiated with
client-side field level encryption enabled, either:
Use the
Mongo()
constructor from themongo
shell to establish a connection with the required client-side field level encryption options. TheMongo()
method supports the following Key Management Service (KMS) providers for Customer Master Key (CMK) management:or
Use the
mongo
shell command line options to establish a connection with the required options. The command line options only support the Amazon Web Services KMS provider for CMK management.
Example
The following example uses a locally managed KMS for the client-side field level encryption configuration.
Configuring client-side field level encryption for a locally
managed key requires specifying a base64-encoded 96-byte
string with no line breaks. The following operation generates
a key that meets the stated requirements and loads it into
the mongo
shell:
TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')") mongo --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"
Create the client-side field level encryption object using the generated local key string:
var ClientSideFieldLevelEncryptionOptions = { "keyVaultNamespace" : "encryption.__dataKeys", "kmsProviders" : { "local" : { "key" : BinData(0, TEST_LOCAL_KEY) } } }
Use the Mongo()
constructor to create a database connection
with the client-side field level encryption options. Replace the
mongodb://myMongo.example.net
URI with the connection string
URI of the target cluster.
encryptedClient = Mongo( "mongodb://myMongo.example.net:27017/?replSetName=myMongo", ClientSideFieldLevelEncryptionOptions )
Retrieve the keyVault
object and
use the KeyVault.getKey()
to retrieve
a data encryption key using its UUID
:
keyVault = encryptedClient.getKeyVault() keyVault.getKey(UUID("b4b41b33-5c97-412e-a02b-743498346079"))
getKey()
returns the data encryption key, with
output similar to the following:
{ "_id" : UUID("b4b41b33-5c97-412e-a02b-743498346079"), "keyMaterial" : BinData(0,"E+0jZKzA4YuE1lGmSVIy2mivqH4JxFo0yFATdxYX/s0YtMFsgVXyu7Bbn4IQ2gn7F/9JAPJFOxdQc5lN3AR+oX33ewVZsd63f3DN1zzcukqdR2Y+EeO7ekRxyRjdzMaNNrBNIv9Gn5LEJgWPSYkG8VczF7cNZnc1YmnR0tuDPNYfm0J7dCZuZUNWW3FCGRcdFx6AlXiCtXKNR97hJ216pQ=="), "creationDate" : ISODate("2021-03-16T18:22:43.733Z"), "updateDate" : ISODate("2021-03-16T18:22:43.733Z"), "status" : 0, "version" : NumberLong(0), "masterKey" : { "provider" : "local" }, "keyAltNames" : [ "alpha" ] }