ClientEncryption.createEncryptedCollection()
7.0 版本中的新增功能。
ClientEncryption.createEncryptedCollection(dbName, collName, clientEncOpts)
ClientEncryption.createEncryptedCollection
creates an encrypted collection specified bycollName
on the database specified bydbName
.
兼容性
此命令可用于以下环境中托管的部署:
MongoDB Atlas:用于云中 MongoDB 部署的完全托管服务
MongoDB Enterprise:基于订阅、自我管理的 MongoDB 版本
MongoDB Community:源代码可用、免费使用且可自行管理的 MongoDB 版本
语法
ClientEncryption.createEncryptedCollection
has the
following syntax:
clientEncryption = db.getMongo().getClientEncryption() clientEncryption.createEncryptedCollection( dbName, collName, { provider: kmsProviderName, createCollectionOptions: encryptedFieldsMap, masterKey: customerMasterKeyCredentials } )
命令字段
createEncryptedCollection
接受以下字段:
字段 | 类型 | 必要性 | 说明 |
---|---|---|---|
| 字符串 | 必需 | Name of the database to encrypt. |
| 字符串 | 必需 | Name of the collection to encrypt. |
| 文档 | 必需 | Options to configure the encrypted collection. |
| 字符串 | 必需 | KMS you are using to store your Customer Master Key. |
| 文档 | 必需 | Fields to encrypt. See 步骤
for details on how to configure the |
| 文档 | Optional | How to get the master key when the KMS Provider is AWS, GCP, or Azure. |
行为
The mongosh
client-side field level and queryable
encryption methods require a database connection configured for
client-side encryption. If the current database connection was not
initiated with client-side field level encryption enabled, either:
Use the
Mongo()
constructor from themongosh
to establish a connection with the required client-side field level encryption options. TheMongo()
method supports the following Key Management Service (KMS) providers for Customer Master Key (CMK) management:
or
Use the
mongosh
command line options to establish a connection with the required options. The command line options only support the Amazon Web Services KMS provider for CMK management.
例子
The following example uses a locally managed KMS for the Queryable Encryption configuration.
创建加密连接
启动 mongosh
运行:
mongosh --nodb --nodb
表示不连接数据库。生成密钥string
生成一个基本 64 96 字节的string :
const TEST_LOCAL_KEY = require("crypto").randomBytes(96).toString("base64") 创建加密选项对象
要创建客户端字段级加密选项对象,请使用上一步中的
TEST_LOCAL_KEY
string :var autoEncryptionOpts = { "keyVaultNamespace" : "encryption.__dataKeys", "kmsProviders" : { "local" : { "key" : BinData(0, TEST_LOCAL_KEY) } } } 创建加密客户端对象
要创建加密的客户端对象,请使用
Mongo()
构造函数。 将mongodb://myMongo.example.net
URI 替换为目标集群的连接string URI 。 示例:encryptedClient = Mongo( "mongodb://myMongo.example.net:27017/?replSetName=myMongo", autoEncryptionOpts )
Create Your Encrypted Collection
Create an encrypted enc.users
collection:
clientEncryption = encryptedClient.getClientEncryption(); var result = clientEncryption.createEncryptedCollection( "enc", "users", { provider: "local", createCollectionOptions: encryptedFieldsMap, masterKey: {} // masterKey is optional when provider is local } )