通过 AWS 使用客户端字段级自动加密


  • Overview
  • 开始之前
  • 完整应用程序代码
  • 设置 KMS
  • 创建客户主密钥
  • 创建 AWS IAM 用户
  • 创建应用程序
  • 在密钥保管库集合上创建唯一索引
  • 创建新的数据加密密钥
  • 配置 MongoClient
  • 插入具有加密字段的文档
  • 检索具有加密字段的文档
  • 了解详情

本指南介绍如何使用 Amazon Web Services (AWS) KMS 构建启用了客户端字段级加密 (CSFLE) 的应用程序。


  • 托管在 AWS KMS 实例上的客户主密钥。

  • 正常工作的客户端应用程序;可以使用客户主密钥插入具有加密字段的文档。




dek_id := "<Your Base64 DEK ID>"

您可以将引号之间的内容替换为您的 DEK ID。

dek_id := "abc123"

从页面右侧的 Select your language(选择语言)下拉菜单中,选择要查看代码示例的编程语言。


完整的 C# 应用程序

使用 go buildgo run 构建或运行本指南中的Go代码时,请始终包含 cse构建约束以启用CSFLE 。 有关包含构建约束的示例,请参阅以下shell命令:

go run -tags cse insert-encrypted-document.go
  1. 登录AmazonAmazon Web Services Web Services管理控制台。

  2. 导航到Amazon WebAmazon Web ServicesKMS Services KMS控制台。

  3. 创建客户主密钥

    按照有关创建对称 KMS 密钥的官方 AWS 文档,创建新的对称密钥。您创建的密钥是客户主密钥。选择有助于识别该密钥的名称和描述;这些字段不影响 CMK 功能或配置。

    在密钥生成过程的 Usage Permissions 步骤中,应用以下默认密钥策略,该策略使得身份和访问管理 (IAM) 策略能够授予对您的客户主密钥的访问权限:

    "Version": "2012-10-17",
    "Statement": [
    "Sid": "Enable IAM User Permissions",
    "Effect": "Allow",
    "Principal": {
    "AWS": "<ARN of your AWS account principal>"
    "Action": "kms:*",
    "Resource": "*"


    记录您的客户主密钥的 Amazon 资源名称 (ARN) 和区域。您将在本指南的后续步骤中用到它们。




    要了解有关密钥策略的更多信息,请参阅 AWS 官方文档中的 AWS KMS 中的密钥策略

  1. 导航到AmazonAmazon Web Services Web Services IAM 控制台。

  2. 创建 IAM 用户

    按照有关 添加用户 的 官方文档,在 管理控制台中创建新的编程 IAM 用户Amazon Web ServicesAmazon Web Services 。您将使用此IAM用户作为启用 CSFLE 的应用程序的服务帐户。 Amazon Web ServicesKMS您的应用程序使用 IAM 用户通过 进行身份验证,通过客户主密钥(集合扫描) 对数据加密密钥 (DEK) 进行加密和解密。



    确保在创建 IAM 用户的最后一步记录以下 IAM 凭证:

    • 访问密钥 ID

    • 秘密访问密钥

    您有一次机会记录这些凭证。如果在该步骤中没有记录这些凭证,则必须创建另一个 IAM 用户。

  3. 授予权限



    新的客户端IAM用户不应具有主密钥的管理权限。 为了确保数据安全,请遵循 最小权限原则。

    以下内联策略允许 IAM 用户按照最小权限原则使用客户主密钥进行加密和解密:


    远程主密钥 ARN

    以下策略需要您在本指南的 创建主密钥 步骤中生成的密钥的 ARN 。

    "Version": "2012-10-17",
    "Statement": [
    "Effect": "Allow",
    "Action": ["kms:Decrypt", "kms:Encrypt"],
    "Resource": "<the Amazon Resource Name (ARN) of your remote master key>"

    要将上述政策应用于 IAM 用户,请遵守 AWS 文档中的添加 IAM 身份权限指南。


    在生产环境中使用 IAM 角色进行身份验证

    将支持 CSFLE 的应用程序部署到正式上线环境时,使用 IAM 角色而非 IAM 用户对应用程序进行身份验证。

    要了解有关 IAM 角色的更多信息,请参阅官方 AWS 文档中的以下页面:


encryption.__keyVault 命名空间中的 keyAltNames 字段上创建唯一索引。

选择与所需的 MongoDB 驱动程序对应的标签页:

var connectionString = "<Your MongoDB URI>";
var keyVaultNamespace = CollectionNamespace.FromFullName("encryption.__keyVault");
var keyVaultClient = new MongoClient(connectionString);
var indexOptions = new CreateIndexOptions<BsonDocument>();
indexOptions.Unique = true;
indexOptions.PartialFilterExpression = new BsonDocument { { "keyAltNames", new BsonDocument { { "$exists", new BsonBoolean(true) } } } };
var builder = Builders<BsonDocument>.IndexKeys;
var indexKeysDocument = builder.Ascending("keyAltNames");
var indexModel = new CreateIndexModel<BsonDocument>(indexKeysDocument, indexOptions);
var keyVaultDatabase = keyVaultClient.GetDatabase(keyVaultNamespace.DatabaseNamespace.ToString());
// Drop the Key Vault Collection in case you created this collection
// in a previous run of this application.
// Drop the database storing your encrypted fields as all
// the DEKs encrypting those fields were deleted in the preceding line.
var keyVaultCollection = keyVaultDatabase.GetCollection<BsonDocument>(keyVaultNamespace.CollectionName.ToString());
uri := "<Your MongoDB URI>"
keyVaultClient, err := mongo.Connect(context.TODO(), options.Client().ApplyURI(uri))
if err != nil {
return fmt.Errorf("Connect error for regular client: %v", err)
defer func() {
_ = keyVaultClient.Disconnect(context.TODO())
keyVaultColl := "__keyVault"
keyVaultDb := "encryption"
keyVaultNamespace := keyVaultDb + "." + keyVaultColl
keyVaultIndex := mongo.IndexModel{
Keys: bson.D{{"keyAltNames", 1}},
Options: options.Index().
{"keyAltNames", bson.D{
{"$exists", true},
// Drop the Key Vault Collection in case you created this collection
// in a previous run of this application.
if err = keyVaultClient.Database(keyVaultDb).Collection(keyVaultColl).Drop(context.TODO()); err != nil {
log.Fatalf("Collection.Drop error: %v", err)
// Drop the database storing your encrypted fields as all
// the DEKs encrypting those fields were deleted in the preceding line.
if err = keyVaultClient.Database("medicalRecords").Collection("patients").Drop(context.TODO()); err != nil {
log.Fatalf("Collection.Drop error: %v", err)
_, err = keyVaultClient.Database(keyVaultDb).Collection(keyVaultColl).Indexes().CreateOne(context.TODO(), keyVaultIndex)
if err != nil {
String connectionString = "<Your MongoDB URI>";
String keyVaultDb = "encryption";
String keyVaultColl = "__keyVault";
String keyVaultNamespace = keyVaultDb + "." + keyVaultColl;
MongoClient keyVaultClient = MongoClients.create(connectionString);
// Drop the Key Vault Collection in case you created this collection
// in a previous run of this application.
// Drop the database storing your encrypted fields as all
// the DEKs encrypting those fields were deleted in the preceding line.
MongoCollection keyVaultCollection = keyVaultClient.getDatabase(keyVaultDb).getCollection(keyVaultColl);
IndexOptions indexOpts = new IndexOptions().partialFilterExpression(new BsonDocument("keyAltNames", new BsonDocument("$exists", new BsonBoolean(true) ))).unique(true);
keyVaultCollection.createIndex(new BsonDocument("keyAltNames", new BsonInt32(1)), indexOpts);
const uri = "<Your Connection String>";
const keyVaultDatabase = "encryption";
const keyVaultCollection = "__keyVault";
const keyVaultNamespace = `${keyVaultDatabase}.${keyVaultCollection}`;
const keyVaultClient = new MongoClient(uri);
await keyVaultClient.connect();
const keyVaultDB = keyVaultClient.db(keyVaultDatabase);
// Drop the Key Vault Collection in case you created this collection
// in a previous run of this application.
await keyVaultDB.dropDatabase();
// Drop the database storing your encrypted fields as all
// the DEKs encrypting those fields were deleted in the preceding line.
await keyVaultClient.db("medicalRecords").dropDatabase();
const keyVaultColl = keyVaultDB.collection(keyVaultCollection);
await keyVaultColl.createIndex(
{ keyAltNames: 1 },
unique: true,
partialFilterExpression: { keyAltNames: { $exists: true } },
connection_string = "<your connection string here>"
key_vault_coll = "__keyVault"
key_vault_db = "encryption"
key_vault_namespace = f"{key_vault_db}.{key_vault_coll}"
key_vault_client = MongoClient(connection_string)
# Drop the Key Vault Collection in case you created this collection
# in a previous run of this application.
# Drop the database storing your encrypted fields as all
# the DEKs encrypting those fields were deleted in the preceding line.
[("keyAltNames", ASCENDING)],
partialFilterExpression={"keyAltNames": {"$exists": True}},
  1. 添加 AWS KMS 凭证

    将服务账户凭证添加到启用 CSFLE 的客户端代码中。

    var kmsProviders = new Dictionary<string, IReadOnlyDictionary<string, object>>();
    var provider = "aws";
    var awsKmsOptions = new Dictionary<string, object>
    { "accessKeyId", "<Your AWS Access Key ID>" },
    { "secretAccessKey", "<Your AWS Secret Access Key>" }
    kmsProviders.Add(provider, awsKmsOptions);
    provider := "aws"
    kmsProviders := map[string]map[string]interface{}{
    provider: {
    "accessKeyId": "<Your AWS Access Key ID>",
    "secretAccessKey": "<Your AWS Secret Access Key>",
    Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>();
    String kmsProvider = "aws";
    Map<String, Object> providerDetails = new HashMap<>();
    providerDetails.put("accessKeyId", new BsonString("<IAM User Access Key ID>"));
    providerDetails.put("secretAccessKey", new BsonString("<IAM User Secret Access Key>"));
    kmsProviders.put(kmsProvider, providerDetails);


    要学习;了解如何提供Amazon Web Services凭证而不是像前面的代码示例一样直接指定这些凭证,请参阅Java MONGODB- Amazon Web Services文档。

    const provider = "aws";
    const kmsProviders = {
    aws: {
    accessKeyId: "<Your AWS Access Key ID>",
    secretAccessKey: "<Your AWS Secret Access Key>",
    provider = "aws"
    kms_providers = {
    provider: {
    "accessKeyId": "<IAM User Access Key ID>",
    "secretAccessKey": "<IAM User Secret Access Key>",
  2. 添加您的密钥信息



    您在本指南的 创建客户主密钥 步骤中记录了客户主密钥的 ARN 和地区。

    var dataKeyOptions = new DataKeyOptions(
    masterKey: new BsonDocument
    { "region", "<Your AWS Key Region>" },
    { "key", "<Your AWS Key ARN>" },
    masterKey := map[string]interface{}{
    "key": "<Your AWS Key ARN>",
    "region": "<Your AWS Key Region>",
    masterKeyProperties.put("provider", new BsonString(kmsProvider));
    masterKeyProperties.put("key", new BsonString("<Master Key ARN>"));
    masterKeyProperties.put("region", new BsonString("<Master Key AWS Region>"));
    const masterKey = {
    key: "<Your AWS Key ARN>",
    region: "<Your AWS Key Region>",
    master_key = {"region": "<Master Key AWS Region>", "key": "<Master Key ARN>"}
  3. 生成数据加密密钥

    使用本教程的步骤 1 中声明的变量,生成数据加密密钥。

    var clientEncryptionOptions = new ClientEncryptionOptions(
    keyVaultClient: keyVaultClient,
    keyVaultNamespace: keyVaultNamespace,
    kmsProviders: kmsProviders
    var clientEncryption = new ClientEncryption(clientEncryptionOptions);
    var dataKeyId = clientEncryption.CreateDataKey(provider, dataKeyOptions, CancellationToken.None);
    var dataKeyIdBase64 = Convert.ToBase64String(GuidConverter.ToBytes(dataKeyId, GuidRepresentation.Standard));
    Console.WriteLine($"DataKeyId [base64]: {dataKeyIdBase64}");
    clientEncryptionOpts := options.ClientEncryption().SetKeyVaultNamespace(keyVaultNamespace).
    clientEnc, err := mongo.NewClientEncryption(keyVaultClient, clientEncryptionOpts)
    if err != nil {
    return fmt.Errorf("NewClientEncryption error %v", err)
    defer func() {
    _ = clientEnc.Close(context.TODO())
    dataKeyOpts := options.DataKey().
    dataKeyID, err := clientEnc.CreateDataKey(context.TODO(), provider, dataKeyOpts)
    if err != nil {
    return fmt.Errorf("create data key error %v", err)
    fmt.Printf("DataKeyId [base64]: %s\n", base64.StdEncoding.EncodeToString(dataKeyID.Data))
    ClientEncryptionSettings clientEncryptionSettings = ClientEncryptionSettings.builder()
    .applyConnectionString(new ConnectionString(connectionString))
    MongoClient regularClient = MongoClients.create(connectionString);
    ClientEncryption clientEncryption = ClientEncryptions.create(clientEncryptionSettings);
    BsonBinary dataKeyId = clientEncryption.createDataKey(kmsProvider, new DataKeyOptions().masterKey(masterKeyProperties));
    String base64DataKeyId = Base64.getEncoder().encodeToString(dataKeyId.getData());
    System.out.println("DataKeyId [base64]: " + base64DataKeyId);
    const client = new MongoClient(uri);
    await client.connect();
    const encryption = new ClientEncryption(client, {
    const key = await encryption.createDataKey(provider, {
    masterKey: masterKey,
    console.log("DataKeyId [base64]: ", key.toString("base64"));
    await keyVaultClient.close();
    await client.close();


    导入 ClientEncryption

    使用 Node.js 驱动程序 v6.0 及更高版本时,必须从 mongodb 导入 ClientEncryption

    对于较早的驱动程序版本,请从 mongodb-client-encryption 导入 ClientEncryption

    key_vault_database = "encryption"
    key_vault_collection = "__keyVault"
    key_vault_namespace = f"{key_vault_database}.{key_vault_collection}"
    client = MongoClient(connection_string)
    client_encryption = ClientEncryption(
    kms_providers, # pass in the kms_providers variable from the previous step
    data_key_id = client_encryption.create_data_key(provider, master_key)
    base_64_data_key_id = base64.b64encode(data_key_id)
    print("DataKeyId [base64]: ", base_64_data_key_id)



要查看显示在使用 AWS KMS 时客户端应用程序如何创建数据加密密钥的图表,请参阅架构

要详细了解创建使用 AWS KMS 中托管的客户主密钥加密的数据加密密钥的选项,请参阅 dataKeyOpts 对象



要查看制作数据加密密钥的完整代码,请参阅我们的 Github 存储库

要查看该文件的完整代码,请参阅我们的 Github 存储库

  1. 指定密钥保管库集合命名空间

    指定 encryption.__keyVault 以作为密钥保管库集合命名空间。

    var keyVaultNamespace = CollectionNamespace.FromFullName("encryption.__keyVault");
    keyVaultNamespace := "encryption.__keyVault"
    String keyVaultNamespace = "encryption.__keyVault";
    const keyVaultNamespace = "encryption.__keyVault";
    key_vault_namespace = "encryption.__keyVault"
  2. 指定您的 AWS 凭证

    指定 aws KMS 提供程序和 IAM 用户凭证:

    var kmsProviders = new Dictionary<string, IReadOnlyDictionary<string, object>>();
    var provider = "aws";
    var awsKmsOptions = new Dictionary<string, object>
    { "accessKeyId", "<Your AWS Access Key ID>" },
    { "secretAccessKey", "<Your AWS Secret Access Key>" }
    kmsProviders.Add(provider, awsKmsOptions);
    kmsProviders := map[string]map[string]interface{}{
    "aws": {
    "accessKeyId": "<Your AWS Access Key ID>",
    "secretAccessKey": "<Your AWS Secret Access Key>",
    Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>();
    String kmsProvider = "aws";
    Map<String, Object> providerDetails = new HashMap<>();
    providerDetails.put("accessKeyId", "<IAM User Access Key ID>");
    providerDetails.put("secretAccessKey", "<IAM User Secret Access Key>");
    kmsProviders.put(kmsProvider, providerDetails);
    const kmsProviders = {
    aws: {
    accessKeyId: "<Your AWS Access Key ID>",
    secretAccessKey: "<Your AWS Secret Access Key>",
    provider = "aws"
    kms_providers = {
    "aws": {
    "accessKeyId": "<IAM User Access Key ID>",
    "secretAccessKey": "<IAM User Secret Access Key>",


    提醒:在生产环境中使用 IAM 角色进行身份验证

    要使用 IAM 角色而不是 IAM 用户对应用程序进行身份验证,请在 KMS 提供程序对象中为凭证指定一个空对象。这会指示驱动程序自动从环境中检索凭证:

    kmsProviders = {
    aws: { }
    kmsProviderCredentials.Add("aws", new Dictionary<string, object>);
    kmsProviderCredentials := map[string]map[string]interface{}{
    "aws": { },
    kmsProviderCredentials.put("aws", new HashMap<>());
    kmsProviders = {
    aws: { }
    kms_provider_credentials = {
    "aws": { }
  3. 为集合创建加密模式


    添加数据加密密钥 Base64 ID

    请务必更新以下代码以包含您的基本64 DEK ID。 您在本指南的“生成数据加密密钥”步骤中收到了该值。

    var keyId = "<Your base64 DEK ID here>";
    var schema = new BsonDocument
    { "bsonType", "object" },
    new BsonDocument("keyId", new BsonArray(new[] { new BsonBinaryData(Convert.FromBase64String(keyId), BsonBinarySubType.UuidStandard) }))
    new BsonDocument
    "ssn", new BsonDocument
    "encrypt", new BsonDocument
    { "bsonType", "int" },
    { "algorithm", "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" }
    "bloodType", new BsonDocument
    "encrypt", new BsonDocument
    { "bsonType", "string" },
    { "algorithm", "AEAD_AES_256_CBC_HMAC_SHA_512-Random" }
    "medicalRecords", new BsonDocument
    "encrypt", new BsonDocument
    { "bsonType", "array" },
    { "algorithm", "AEAD_AES_256_CBC_HMAC_SHA_512-Random" }
    "insurance", new BsonDocument
    { "bsonType", "object" },
    "properties", new BsonDocument
    "policyNumber", new BsonDocument
    "encrypt", new BsonDocument
    { "bsonType", "int" },
    { "algorithm", "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" }
    var schemaMap = new Dictionary<string, BsonDocument>();
    schemaMap.Add(dbNamespace, schema);
    dek_id := "<Your Base64 DEK ID>"
    schema_template := `{
    "bsonType": "object",
    "encryptMetadata": {
    "keyId": [
    "$binary": {
    "base64": "%s",
    "subType": "04"
    "properties": {
    "insurance": {
    "bsonType": "object",
    "properties": {
    "policyNumber": {
    "encrypt": {
    "bsonType": "int",
    "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
    "medicalRecords": {
    "encrypt": {
    "bsonType": "array",
    "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
    "bloodType": {
    "encrypt": {
    "bsonType": "string",
    "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
    "ssn": {
    "encrypt": {
    "bsonType": "int",
    "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
    schema := fmt.Sprintf(schema_template, dek_id)
    var schemaDoc bson.Raw
    if err := bson.UnmarshalExtJSON([]byte(schema), true, &schemaDoc); err != nil {
    return fmt.Errorf("UnmarshalExtJSON error: %v", err)
    schemaMap := map[string]interface{}{
    dbName + "." + collName: schemaDoc,
    String dekId = "<paste-base-64-encoded-data-encryption-key-id>>";
    Document jsonSchema = new Document().append("bsonType", "object").append("encryptMetadata",
    new Document().append("keyId", new ArrayList<>((Arrays.asList(new Document().append("$binary", new Document()
    .append("base64", dekId)
    .append("subType", "04")))))))
    .append("properties", new Document()
    .append("ssn", new Document().append("encrypt", new Document()
    .append("bsonType", "int")
    .append("algorithm", "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic")))
    .append("bloodType", new Document().append("encrypt", new Document()
    .append("bsonType", "string")
    .append("algorithm", "AEAD_AES_256_CBC_HMAC_SHA_512-Random")))
    .append("medicalRecords", new Document().append("encrypt", new Document()
    .append("bsonType", "array")
    .append("algorithm", "AEAD_AES_256_CBC_HMAC_SHA_512-Random")))
    .append("insurance", new Document()
    .append("bsonType", "object")
    new Document().append("policyNumber", new Document().append("encrypt", new Document()
    .append("bsonType", "int")
    .append("algorithm", "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"))))));
    HashMap<String, BsonDocument> schemaMap = new HashMap<String, BsonDocument>();
    schemaMap.put("medicalRecords.patients", BsonDocument.parse(jsonSchema.toJson()));
    dataKey = "<Your base64 DEK ID>";
    const schema = {
    bsonType: "object",
    encryptMetadata: {
    keyId: [new Binary(Buffer.from(dataKey, "base64"), 4)],
    properties: {
    insurance: {
    bsonType: "object",
    properties: {
    policyNumber: {
    encrypt: {
    bsonType: "int",
    algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
    medicalRecords: {
    encrypt: {
    bsonType: "array",
    algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Random",
    bloodType: {
    encrypt: {
    bsonType: "string",
    algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Random",
    ssn: {
    encrypt: {
    bsonType: "int",
    algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
    var patientSchema = {};
    patientSchema[namespace] = schema;
    dek_id = b"<paste-base-64-encoded-data-encryption-key-id>"
    json_schema = {
    "bsonType": "object",
    "encryptMetadata": {"keyId": [Binary(base64.b64decode(dek_id), UUID_SUBTYPE)]},
    "properties": {
    "insurance": {
    "bsonType": "object",
    "properties": {
    "policyNumber": {
    "encrypt": {
    "bsonType": "int",
    "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
    "medicalRecords": {
    "encrypt": {
    "bsonType": "array",
    "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random",
    "bloodType": {
    "encrypt": {
    "bsonType": "string",
    "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random",
    "ssn": {
    "encrypt": {
    "bsonType": "int",
    "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
    patient_schema = {"medicalRecords.patients": json_schema}
  4. 指定自动加密共享库位置

    var mongoBinariesPath = "<Full path to your Automatic Encryption Shared Library>";
    var extraOptions = new Dictionary<string, object>()
    { "cryptSharedLibPath", mongoBinariesPath },
    extraOptions := map[string]interface{}{
    "cryptSharedLibPath": "<Full path to your Automatic Encryption Shared Library>",
    Map<String, Object> extraOptions = new HashMap<String, Object>();
    extraOptions.put("cryptSharedLibPath", "<Full path to your Automatic Encryption Shared Library>"));
    const extraOptions = {
    cryptSharedLibPath: "<Full path to your Automatic Encryption Shared Library>",
    extra_options = {
    "cryptSharedLibPath": "<Full path to your Automatic Encryption Shared Library>"




    要学习;了解有关自动加密共享库的更多信息,请参阅安装和配置 CSFLE 查询分析组件页面。

  5. 创建 MongoClient

    使用以下自动加密设置实例化 MongoDB 客户端对象,这些设置使用前面步骤中声明的变量:

    MongoClientSettings.Extensions.AddAutoEncryption(); // .NET/C# Driver v3.0 or later only
    var clientSettings = MongoClientSettings.FromConnectionString(connectionString);
    var autoEncryptionOptions = new AutoEncryptionOptions(
    keyVaultNamespace: keyVaultNamespace,
    kmsProviders: kmsProviders,
    schemaMap: schemaMap,
    extraOptions: extraOptions
    clientSettings.AutoEncryptionOptions = autoEncryptionOptions;
    var secureClient = new MongoClient(clientSettings);
    var clientSettings = MongoClientSettings.FromConnectionString(connectionString);
    var autoEncryptionOptions = new AutoEncryptionOptions(
    keyVaultNamespace: keyVaultNamespace,
    kmsProviders: kmsProviders,
    schemaMap: schemaMap,
    extraOptions: extraOptions
    clientSettings.AutoEncryptionOptions = autoEncryptionOptions;
    var secureClient = new MongoClient(clientSettings);
    autoEncryptionOpts := options.AutoEncryption().
    secureClient, err := mongo.Connect(context.TODO(), options.Client().ApplyURI(uri).SetAutoEncryptionOptions(autoEncryptionOpts))
    if err != nil {
    return fmt.Errorf("Connect error for encrypted client: %v", err)
    defer func() {
    _ = secureClient.Disconnect(context.TODO())
    MongoClientSettings clientSettings = MongoClientSettings.builder()
    .applyConnectionString(new ConnectionString(connectionString))
    MongoClient mongoClientSecure = MongoClients.create(clientSettings);
    const secureClient = new MongoClient(connectionString, {
    autoEncryption: {
    schemaMap: patientSchema,
    extraOptions: extraOptions,
    fle_opts = AutoEncryptionOpts(
    kms_providers, key_vault_namespace, schema_map=patient_schema, **extra_options
    secureClient = MongoClient(connection_string, auto_encryption_opts=fle_opts)

使用启用了 CSFLE 的 MongoClient 实例,通过以下代码片段将具有加密字段的文档插入到 medicalRecords.patients 命名空间中:

var sampleDocFields = new BsonDocument
{ "name", "Jon Doe" },
{ "ssn", 145014000 },
{ "bloodType", "AB-" },
"medicalRecords", new BsonArray
new BsonDocument("weight", 180),
new BsonDocument("bloodPressure", "120/80")
"insurance", new BsonDocument
{ "policyNumber", 123142 },
{ "provider", "MaestCare" }
// Construct an auto-encrypting client
var secureCollection = secureClient.GetDatabase(db).GetCollection<BsonDocument>(coll);
// Insert a document into the collection
test_patient := map[string]interface{}{
"name": "Jon Doe",
"ssn": 241014209,
"bloodType": "AB+",
"medicalRecords": []map[string]interface{}{{
"weight": 180,
"bloodPressure": "120/80",
"insurance": map[string]interface{}{
"provider": "MaestCare",
"policyNumber": 123142,
if _, err := secureClient.Database(dbName).Collection(collName).InsertOne(context.TODO(), test_patient); err != nil {
return fmt.Errorf("InsertOne error: %v", err)


您可以将带有bson标签的结构体直接传递给驱动程序进行编码,而无需创建原始 BSON 文档。

ArrayList<Document> medicalRecords = new ArrayList<>();
medicalRecords.add(new Document().append("weight", "180"));
medicalRecords.add(new Document().append("bloodPressure", "120/80"));
Document insurance = new Document()
.append("policyNumber", 123142)
.append("provider", "MaestCare");
Document patient = new Document()
.append("name", "Jon Doe")
.append("ssn", 241014209)
.append("bloodType", "AB+")
.append("medicalRecords", medicalRecords)
.append("insurance", insurance);
try {
const writeResult = await secureClient
name: "Jon Doe",
ssn: 241014209,
bloodType: "AB+",
medicalRecords: [{ weight: 180, bloodPressure: "120/80" }],
insurance: {
policyNumber: 123142,
provider: "MaestCare",
} catch (writeError) {
console.error("writeError occurred:", writeError);
def insert_patient(
collection, name, ssn, blood_type, medical_records, policy_number, provider
insurance = {"policyNumber": policy_number, "provider": provider}
doc = {
"name": name,
"ssn": ssn,
"bloodType": blood_type,
"medicalRecords": medical_records,
"insurance": insurance,
medical_record = [{"weight": 180, "bloodPressure": "120/80"}]
"Jon Doe",

在您插入文档时,启用了 CSFLE 的客户端对文档字段进行加密,以使其类似于以下内容:

"_id": { "$oid": "<_id of your document>" },
"name": "Jon Doe",
"ssn": {
"$binary": "<cipher-text>",
"$type": "6"
"bloodType": {
"$binary": "<cipher-text>",
"$type": "6"
"medicalRecords": {
"$binary": "<cipher-text>",
"$type": "6"
"insurance": {
"provider": "MaestCare",
"policyNumber": {
"$binary": "<cipher-text>",
"$type": "6"



要查看用于插入带加密字段的文档的完整代码,请访问我们的 Github 存储库

为了显示 CSFLE 的功能,以下代码片段使用配置为自动 CSFLE 的客户端以及未配置为自动 CSFLE 的客户端来查询文档。

Console.WriteLine("Finding a document with regular (non-encrypted) client.");
var filter = Builders<BsonDocument>.Filter.Eq("name", "Jon Doe");
var regularResult = regularCollection.Find(filter).Limit(1).ToList()[0];
Console.WriteLine("Finding a document with encrypted client");
var ssnFilter = Builders<BsonDocument>.Filter.Eq("name", "Jon Doe");
var secureResult = secureCollection.Find(ssnFilter).Limit(1).First();
fmt.Println("Finding a document with regular (non-encrypted) client.")
var resultRegular bson.M
err = regularClient.Database(dbName).Collection(collName).FindOne(context.TODO(), bson.D{{"name", "Jon Doe"}}).Decode(&resultRegular)
if err != nil {
outputRegular, err := json.MarshalIndent(resultRegular, "", " ")
if err != nil {
fmt.Printf("%s\n", outputRegular)
fmt.Println("Finding a document with encrypted client")
var resultSecure bson.M
err = secureClient.Database(dbName).Collection(collName).FindOne(context.TODO(), bson.D{{"name", "Jon Doe"}}).Decode(&resultSecure)
if err != nil {
outputSecure, err := json.MarshalIndent(resultSecure, "", " ")
if err != nil {
fmt.Printf("%s\n", outputSecure)
System.out.println("Finding a document with regular (non-encrypted) client.");
Document docRegular = mongoClientRegular.getDatabase(recordsDb).getCollection(recordsColl).find(eq("name", "Jon Doe")).first();
System.out.println("Finding a document with encrypted client");
Document docSecure = mongoClientSecure.getDatabase(recordsDb).getCollection(recordsColl).find(eq("name", "Jon Doe")).first();
console.log("Finding a document with regular (non-encrypted) client.");
await regularClient.db(db).collection(coll).findOne({ name: /Jon/ })
console.log("Finding a document with encrypted client");
await secureClient.db(db).collection(coll).findOne({ name: /Jon/ })
print("Finding a document with regular (non-encrypted) client.")
result = regularClient.medicalRecords.patients.find_one({"name": "Jon Doe"})
print("Finding a document with encrypted client")
pprint.pprint(secureClient.medicalRecords.patients.find_one({"name": "Jon Doe"}))


Finding a document with regular (non-encrypted) client.
_id: new ObjectId("629a452e0861b3130887103a"),
name: 'Jon Doe',
ssn: new Binary(Buffer.from("0217482732d8014cdd9ffdd6e2966e5e7910c20697e5f4fa95710aafc9153f0a3dc769c8a132a604b468732ff1f4d8349ded3244b59cbfb41444a210f28b21ea1b6c737508d9d30e8baa30c1d8070c4d5e26", "hex"), 6),
bloodType: new Binary(Buffer.from("0217482732d8014cdd9ffdd6e2966e5e79022e238536dfd8caadb4d7751ac940e0f195addd7e5c67b61022d02faa90283ab69e02303c7e4001d1996128428bf037dea8bbf59fbb20c583cbcff2bf3e2519b4", "hex"), 6),
'key-id': 'demo-data-key',
medicalRecords: new Binary(Buffer.from("0217482732d8014cdd9ffdd6e2966e5e790405163a3207cff175455106f57eef14e5610c49a99bcbd14a7db9c5284e45e3ee30c149354015f941440bf54725d6492fb3b8704bc7c411cff6c868e4e13c58233c3d5ed9593eca4e4d027d76d3705b6d1f3b3c9e2ceee195fd944b553eb27eee69e5e67c338f146f8445995664980bf0", "hex"), 6),
insurance: {
policyNumber: new Binary(Buffer.from("0217482732d8014cdd9ffdd6e2966e5e79108decd85c05be3fec099e015f9d26d9234605dc959cc1a19b63072f7ffda99db38c7b487de0572a03b2139ac3ee163bcc40c8508f366ce92a5dd36e38b3c742f7", "hex"), 6),
provider: 'MaestCare'
Finding a document with encrypted client
_id: new ObjectId("629a452e0861b3130887103a"),
name: 'Jon Doe',
ssn: 241014209,
bloodType: 'AB+',
'key-id': 'demo-data-key',
medicalRecords: [ { weight: 180, bloodPressure: '120/80' } ],
insurance: { policyNumber: 123142, provider: 'MaestCare' }



要查看查找带有加密字段的文档的完整代码,请参阅我们的 Github 存储库

如需了解 CSFLE 的工作原理,请参阅基础知识


