Docs 菜单

ClientEncryption.createEncryptedCollection()

7.0 版本中的新增功能

ClientEncryption.createEncryptedCollection(dbName, collName, clientEncOpts)

ClientEncryption.createEncryptedCollection creates an encrypted collection specified by collName on the database specified by dbName.

此命令可用于以下环境中托管的部署:

ClientEncryption.createEncryptedCollection has the following syntax:

clientEncryption = db.getMongo().getClientEncryption()
clientEncryption.createEncryptedCollection(
dbName,
collName,
{
provider: kmsProviderName,
createCollectionOptions: encryptedFieldsMap,
masterKey: customerMasterKeyCredentials
}
)

createEncryptedCollection接受以下字段:

字段
类型
必要性
说明

dbName

字符串

必需

Name of the database to encrypt.

collName

字符串

必需

Name of the collection to encrypt.

clientEncOpts

文档

必需

Options to configure the encrypted collection.

clientEncOpts.provider

字符串

必需

KMS you are using to store your Customer Master Key.

clientEncOpts.createCollectionOptions

文档

必需

Fields to encrypt. See 步骤 for details on how to configure the encryptedFieldsMap object.

clientEncOpts.masterKey

文档

Optional

How to get the master key when the KMS Provider is AWS, GCP, or Azure.

The mongosh client-side field level and queryable encryption methods require a database connection configured for client-side encryption. If the current database connection was not initiated with client-side field level encryption enabled, either:

or

The following example uses a locally managed KMS for the Queryable Encryption configuration.

1
  1. 启动 mongosh

    运行:

    mongosh --nodb

    --nodb表示不连接数据库。

  2. 生成密钥string

    生成一个基本 64 96 字节的string :

    const TEST_LOCAL_KEY = require("crypto").randomBytes(96).toString("base64")
  3. 创建加密选项对象

    要创建客户端字段级加密选项对象,请使用上一步中的 TEST_LOCAL_KEY string :

    var autoEncryptionOpts = {
    "keyVaultNamespace" : "encryption.__dataKeys",
    "kmsProviders" : {
    "local" : {
    "key" : BinData(0, TEST_LOCAL_KEY)
    }
    }
    }
  4. 创建加密客户端对象

    要创建加密的客户端对象,请使用Mongo()构造函数。 将 mongodb://myMongo.example.net URI 替换为目标集群的连接string URI 。 示例:

    encryptedClient = Mongo(
    "mongodb://myMongo.example.net:27017/?replSetName=myMongo",
    autoEncryptionOpts
    )
2

Create an encryptedFieldsMaps to specify which fields to encrypt:

const encryptedFieldsMap = {
encryptedFields: {
fields: [
{
path: "secretField",
bsonType: "string",
queries: { queryType: "equality" },
},
],
},
};
3

Create an encrypted enc.users collection:

clientEncryption = encryptedClient.getClientEncryption();
var result = clientEncryption.createEncryptedCollection(
"enc",
"users",
{
provider: "local",
createCollectionOptions: encryptedFieldsMap,
masterKey: {} // masterKey is optional when provider is local
}
)
4

createEncryptedCollection returns a large result object with many fields. Check the value of result.collection to confirm the collection was created in the desired location.

enc> result.collection
enc.users
  • 有关在启用客户端字段级加密的情况下启动 MongoDB 连接的完整文档,请参阅Mongo()

  • For a complete example of how to create and query an encrypted collection, see 快速入门.