快速入门
在此页面上
Overview
This guide shows you how to build an application that implements the MongoDB Queryable Encryption feature to automatically encrypt and decrypt document fields.
Select your driver language in the dropdown menu on the right to learn how to create an application that automatically encrypts and decrypts document fields.
重要
请勿在生产环境中使用此示例应用程序
本教程中的操作说明包括在不安全的环境中存储加密密钥,因此您不应在生产环境中使用此应用程序的未修改版本。在生产环境中使用此应用程序存在以下风险:未经授权访问加密密钥或丢失解密数据所需的密钥。本教程旨在演示如何使用 Queryable Encryption,而无需设置密钥管理系统。
您可以使用密钥管理系统将加密密钥安全地存储在生产环境中。 KMS是一种远程服务,可安全地存储和管理加密密钥。 要学习;了解如何设立使用KMS且启用了Queryable Encryption的应用程序,请参阅Queryable Encryption教程。
开始之前
要完成并运行本指南中的代码,您需要设置开发环境,如“安装 Queryable Encryption 兼容驱动程序”页面中所示。
完整应用程序代码
要查看示例应用程序的完整代码,请在语言选择器中选择您的编程语言。
步骤
Assign Your Application Variables
The code samples in this tutorial use the following variables to perform the Queryable Encryption workflow:
kmsProviderName - The KMS you're using to store your Customer Master Key. Set this variable to
"local"for this tutorial.uri - Your MongoDB deployment connection URI. Set your connection URI in the
MONGODB_URIenvironment variable or replace the value directly.keyVaultDatabaseName - The database in MongoDB where your data encryption keys (DEKs) will be stored. Set this variable to
"encryption".keyVaultCollectionName - The collection in MongoDB where your DEKs will be stored. Set this variable to
"__keyVault", which is the convention to help prevent mistaking it for a user collection.keyVaultNamespace - The namespace in MongoDB where your DEKs will be stored. Set this variable to the values of the
keyVaultDatabaseNameandkeyVaultCollectionNamevariables, separated by a period.encryptedDatabaseName - The database in MongoDB where your encrypted data will be stored. Set this variable to
"medicalRecords".encryptedCollectionName - The collection in MongoDB where your encrypted data will be stored. Set this variable to
"patients".
You can declare these variables by using the following code:
// KMS provider name should be one of the following: "aws", "gcp", "azure", "kmip" or "local" const kmsProviderName = "<Your KMS Provider Name>"; const uri = process.env.MONGODB_URI; // Your connection URI const keyVaultDatabaseName = "encryption"; const keyVaultCollectionName = "__keyVault"; const keyVaultNamespace = `${keyVaultDatabaseName}.${keyVaultCollectionName}`; const encryptedDatabaseName = "medicalRecords"; const encryptedCollectionName = "patients";
kmsProviderName - The KMS you're using to store your Customer Master Key. Set this value to
"local"for this tutorial.keyVaultDatabaseName - The database in MongoDB where your data encryption keys (DEKs) will be stored. Set the value of
keyVaultDatabaseNameto"encryption".keyVaultCollectionName - The collection in MongoDB where your DEKs will be stored. Set this variable to
"__keyVault", which is the convention to help prevent mistaking it for a user collection.keyVaultNamespace - The namespace in MongoDB where your DEKs will be stored. Set
keyVaultNamespaceto a newCollectionNamespaceobject whose name is the values of thekeyVaultDatabaseNameandkeyVaultCollectionNamevariables, separated by a period.encryptedDatabaseName - The database in MongoDB where your encrypted data will be stored. Set the value of
encryptedDatabaseNameto"medicalRecords".encryptedCollectionName - The collection in MongoDB where your encrypted data will be stored. Set the value of
encryptedCollectionNameto"patients".uri - Your MongoDB deployment connection URI. Set your connection URI in the
appsettings.jsonfile or replace the value directly.
You can declare these variables by using the following code:
// KMS provider name should be one of the following: "aws", "gcp", "azure", "kmip" or "local" const string kmsProviderName = "<your KMS provider name>"; const string keyVaultDatabaseName = "encryption"; const string keyVaultCollectionName = "__keyVault"; var keyVaultNamespace = CollectionNamespace.FromFullName($"{keyVaultDatabaseName}.{keyVaultCollectionName}"); const string encryptedDatabaseName = "medicalRecords"; const string encryptedCollectionName = "patients"; var appSettings = new ConfigurationBuilder().AddJsonFile("appsettings.json").Build(); var uri = appSettings["MongoDbUri"];
kmsProviderName - The KMS you're using to store your Customer Master Key. Set this variable to
"local"for this tutorial.uri - Your MongoDB deployment connection URI. Set your connection URI in the
MONGODB_URIenvironment variable or replace the value directly.keyVaultDatabaseName - The database in MongoDB where your data encryption keys (DEKs) will be stored. Set this variable to
"encryption".keyVaultCollectionName - The collection in MongoDB where your DEKs will be stored. Set this variable to
"__keyVault", which is the convention to help prevent mistaking it for a user collection.keyVaultNamespace - The namespace in MongoDB where your DEKs will be stored. Set this variable to the values of the
keyVaultDatabaseNameandkeyVaultCollectionNamevariables, separated by a period.encryptedDatabaseName - The database in MongoDB where your encrypted data will be stored. Set this variable to
"medicalRecords".encryptedCollectionName - The collection in MongoDB where your encrypted data will be stored. Set this variable to
"patients".
You can declare these variables by using the following code:
// KMS provider name should be one of the following: "aws", "gcp", "azure", "kmip" or "local" kmsProviderName := "<KMS provider name>" uri := os.Getenv("MONGODB_URI") // Your connection URI keyVaultDatabaseName := "encryption" keyVaultCollectionName := "__keyVault" keyVaultNamespace := keyVaultDatabaseName + "." + keyVaultCollectionName encryptedDatabaseName := "medicalRecords" encryptedCollectionName := "patients"
kmsProviderName - The KMS you're using to store your Customer Master Key. Set this variable to
"local"for this tutorial.uri - Your MongoDB deployment connection URI. Set your connection URI in the
MONGODB_URIenvironment variable or replace the value directly.keyVaultDatabaseName - The database in MongoDB where your data encryption keys (DEKs) will be stored. Set this variable to
"encryption".keyVaultCollectionName - The collection in MongoDB where your DEKs will be stored. Set this variable to
"__keyVault", which is the convention to help prevent mistaking it for a user collection.keyVaultNamespace - The namespace in MongoDB where your DEKs will be stored. Set this variable to the values of the
keyVaultDatabaseNameandkeyVaultCollectionNamevariables, separated by a period.encryptedDatabaseName - The database in MongoDB where your encrypted data will be stored. Set this variable to
"medicalRecords".encryptedCollectionName - The collection in MongoDB where your encrypted data will be stored. Set this variable to
"patients".
You can declare these variables by using the following code:
// KMS provider name should be one of the following: "aws", "gcp", "azure", "kmip" or "local" String kmsProviderName = "<KMS provider name>"; String uri = QueryableEncryptionHelpers.getEnv("MONGODB_URI"); // Your connection URI String keyVaultDatabaseName = "encryption"; String keyVaultCollectionName = "__keyVault"; String keyVaultNamespace = keyVaultDatabaseName + "." + keyVaultCollectionName; String encryptedDatabaseName = "medicalRecords"; String encryptedCollectionName = "patients";
kmsProviderName - The KMS you're using to store your Customer Master Key. Set this variable to
"local"for this tutorial.uri - Your MongoDB deployment connection URI. Set your connection URI in the
MONGODB_URIenvironment variable or replace the value directly.keyVaultDatabaseName - The database in MongoDB where your data encryption keys (DEKs) will be stored. Set this variable to
"encryption".keyVaultCollectionName - The collection in MongoDB where your DEKs will be stored. Set this variable to
"__keyVault", which is the convention to help prevent mistaking it for a user collection.keyVaultNamespace - The namespace in MongoDB where your DEKs will be stored. Set this variable to the values of the
keyVaultDatabaseNameandkeyVaultCollectionNamevariables, separated by a period.encryptedDatabaseName - The database in MongoDB where your encrypted data will be stored. Set this variable to
"medicalRecords".encryptedCollectionName - The collection in MongoDB where your encrypted data will be stored. Set this variable to
"patients".
You can declare these variables by using the following code:
// KMS provider name should be one of the following: "aws", "gcp", "azure", "kmip" or "local" const kmsProviderName = "<Your KMS Provider Name>"; const uri = process.env.MONGODB_URI; // Your connection URI const keyVaultDatabaseName = "encryption"; const keyVaultCollectionName = "__keyVault"; const keyVaultNamespace = `${keyVaultDatabaseName}.${keyVaultCollectionName}`; const encryptedDatabaseName = "medicalRecords"; const encryptedCollectionName = "patients";
kms_provider_name - The KMS you're using to store your Customer Master Key. Set this variable to
"local"for this tutorial.uri - Your MongoDB deployment connection URI. Set your connection URI in the
MONGODB_URIenvironment variable or replace the value directly.key_vault_database_name - The database in MongoDB where your data encryption keys (DEKs) will be stored. Set this variable to
"encryption".key_vault_collection_name - The collection in MongoDB where your DEKs will be stored. Set this variable to
"__keyVault", which is the convention to help prevent mistaking it for a user collection.key_vault_namespace - The namespace in MongoDB where your DEKs will be stored. Set this variable to the values of the
key_vault_database_nameandkey_vault_collection_namevariables, separated by a period.encrypted_database_name - The database in MongoDB where your encrypted data will be stored. Set this variable to
"medicalRecords".encrypted_collection_name - The collection in MongoDB where your encrypted data will be stored. Set this variable to
"patients".
You can declare these variables by using the following code:
# KMS provider name should be one of the following: "aws", "gcp", "azure", "kmip" or "local" kms_provider_name = "<KMS provider name>" uri = os.environ['MONGODB_URI'] # Your connection URI key_vault_database_name = "encryption" key_vault_collection_name = "__keyVault" key_vault_namespace = f"{key_vault_database_name}.{key_vault_collection_name}" encrypted_database_name = "medicalRecords" encrypted_collection_name = "patients"
重要
密钥保管库集合命名空间权限
要完成本教程,您的应用程序用于连接到 MongoDB 的数据库用户必须具有对以下命名空间的dbAdmin权限:
encryption.__keyVaultmedicalRecordsdatabase
提示
环境变量
The sample code in this tutorial references environment variables that you need to set. Alternatively, you can replace the values directly in the code.
To learn how you can setup these environment variables, see the README.md file included in the sample application on GitHub.
提示
环境变量
The sample code in this tutorial references environment variables that you need to set. Alternatively, you can replace the values directly in the code.
To learn how you can setup these environment variables, see the README.md file included in the sample application on GitHub.
提示
环境变量
The sample code in this tutorial references environment variables that you need to set. Alternatively, you can replace the values directly in the code.
To learn how you can setup these environment variables, see the README.md file included in the sample application on GitHub.
提示
环境变量
The sample code in this tutorial references environment variables that you need to set. Alternatively, you can replace the values directly in the code.
To learn how you can setup these environment variables, see the README.md file included in the sample application on GitHub.
提示
环境变量
The sample code in this tutorial references environment variables that you need to set. Alternatively, you can replace the values directly in the code.
To learn how you can setup these environment variables, see the README.md file included in the sample application on GitHub.
提示
环境变量
The sample code in this tutorial references environment variables that you need to set. Alternatively, you can replace the values directly in the code.
To learn how you can setup these environment variables, see the README.md file included in the sample application on GitHub.
Create your Encrypted Collection
创建客户主密钥
您必须创建客户主密钥 (CMK) 才能执行 Queryable Encryption。
Create a 96-byte Customer Master Key and save it to your filesystem as the file
customer-master-key.txt:customerMasterKeyPath = "customer-master-key.txt"; if (!fs.existsSync(customerMasterKeyPath)) { fs.writeFileSync(customerMasterKeyPath, crypto.randomBytes(96)); } using var randomNumberGenerator = RandomNumberGenerator.Create(); try { var bytes = new byte[96]; randomNumberGenerator.GetBytes(bytes); var localCustomerMasterKeyBase64 = Convert.ToBase64String(bytes); File.WriteAllText("customer-master-key.txt", localCustomerMasterKeyBase64); } catch (Exception e) { throw new Exception("Unable to write Customer Master Key file due to the following error: " + e.Message); } key := make([]byte, 96) if _, err := rand.Read(key); err != nil { panic(fmt.Sprintf("Unable to create a random 96 byte data key: %v\n", err)) } if err := os.WriteFile("customer-master-key.txt", key, 0644); err != nil { panic(fmt.Sprintf("Unable to write key to file: %v\n", err)) } byte[] localCustomerMasterKey = new byte[96]; new SecureRandom().nextBytes(localCustomerMasterKey); try (FileOutputStream stream = new FileOutputStream("customer-master-key.txt")) { stream.write(localCustomerMasterKey); // ... if (!existsSync("./customer-master-key.txt")) { try { writeFileSync("customer-master-key.txt", randomBytes(96)); } catch (err) { throw new Error( `Unable to write Customer Master Key to file due to the following error: ${err}` ); } } path = "customer-master-key.txt" file_bytes = os.urandom(96) with open(path, "wb") as f: f.write(file_bytes) 警告
保护生产环境中的本地密钥文件
提示
从命令行生成 CMK
使用以下命令从 Unix Shell 或 PowerShell 生成 CMK :
Unix/macOS Shell:
echo $(head -c 96 /dev/urandom | base64 | tr -d '\n') PowerShell:
$r=[byte[]]::new(64);$g=[System.Security.Cryptography.RandomNumberGenerator]::Create();$g.GetBytes($r);[Convert]::ToBase64String($r)
将上述命令的输出保存到名为
customer-master-key.txt的文件中。Retrieve the Customer Master Key and Specify KMS Provider Settings
检索您在本指南的创建客户主密钥步骤中生成的客户主密钥文件的内容。
Use the CMK value in your KMS provider settings. The client uses these settings to discover the CMK. Set the provider name to
localto indicate that you are using a Local Key Provider.// WARNING: Do not use a local key file in a production application const localMasterKey = fs.readFileSync("./customer-master-key.txt"); if (localMasterKey.length !== 96) { throw new Error( "Expected the customer master key file to be 96 bytes." ); } kmsProviderCredentials = { local: { key: localMasterKey, }, }; // WARNING: Do not use a local key file in a production application var kmsProviderCredentials = new Dictionary<string, IReadOnlyDictionary<string, object>>(); try { var localCustomerMasterKeyBase64 = File.ReadAllText("customer-master-key.txt"); var localCustomerMasterKeyBytes = Convert.FromBase64String(localCustomerMasterKeyBase64); if (localCustomerMasterKeyBytes.Length != 96) { throw new Exception("Expected the customer master key file to be 96 bytes."); } var localOptions = new Dictionary<string, object> { { "key", localCustomerMasterKeyBytes } }; kmsProviderCredentials.Add("local", localOptions); } key, err := os.ReadFile("customer-master-key.txt") if err != nil { panic(fmt.Sprintf("Could not read the Customer Master Key: %v", err)) } if len(key) != 96 { panic(fmt.Sprintf("Expected the customer master key file to be 96 bytes.")) } kmsProviderCredentials := map[string]map[string]interface{}{"local": {"key": key}} byte[] localCustomerMasterKey = new byte[96]; try (FileInputStream fis = new FileInputStream("customer-master-key.txt")) { if (fis.read(localCustomerMasterKey) != 96) throw new Exception("Expected the customer master key file to be 96 bytes."); } catch (Exception e) { throw new Exception("Unable to read the Customer Master Key due to the following error: " + e.getMessage()); } Map<String, Object> keyMap = new HashMap<String, Object>(); keyMap.put("key", localCustomerMasterKey); Map<String, Map<String, Object>> kmsProviderCredentials = new HashMap<String, Map<String, Object>>(); kmsProviderCredentials.put("local", keyMap); // WARNING: Do not use a local key file in a production application const localMasterKey = readFileSync("./customer-master-key.txt"); if (localMasterKey.length !== 96) { throw new Error( "Expected the customer master key file to be 96 bytes." ); } kmsProviders = { local: { key: localMasterKey, }, }; path = "./customer-master-key.txt" with open(path, "rb") as f: local_master_key = f.read() if len(local_master_key) != 96: raise Exception("Expected the customer master key file to be 96 bytes.") kms_provider_credentials = { "local": { "key": local_master_key }, } Set Your Automatic Encryption Options
Create an
autoEncryptionOptionsobject that contains the following options:The namespace of your Key Vault collection
The
kmsProviderCredentialsobject, defined in the previous step
const autoEncryptionOptions = { keyVaultNamespace: keyVaultNamespace, kmsProviders: kmsProviderCredentials, }; Create an
AutoEncryptionOptionsobject that contains the following options:The namespace of your Key Vault collection
The
kmsProviderCredentialsobject, defined in the previous step- The
extraOptionsobject, which contains the path to - your Automatic Encryption Shared Library
- The
var extraOptions = new Dictionary<string, object> { { "cryptSharedLibPath", _appSettings["CryptSharedLibPath"] } // Path to your Automatic Encryption Shared Library }; var autoEncryptionOptions = new AutoEncryptionOptions( keyVaultNamespace, kmsProviderCredentials, extraOptions: extraOptions); Create an
AutoEncryptionobject that contains the following options:The namespace of your Key Vault collection
The
kmsProviderCredentialsobject, defined in the previous step- The
cryptSharedLibraryPathobject, which contains the path to - your Automatic Encryption Shared Library
- The
cryptSharedLibraryPath := map[string]interface{}{ "cryptSharedLibPath": os.Getenv("SHARED_LIB_PATH"), // Path to your Automatic Encryption Shared Library } autoEncryptionOptions := options.AutoEncryption(). SetKeyVaultNamespace(keyVaultNamespace). SetKmsProviders(kmsProviderCredentials). SetExtraOptions(cryptSharedLibraryPath) Create an
AutoEncryptionSettingsobject that contains the following options:The namespace of your Key Vault collection
The
kmsProviderCredentialsobject, defined in the previous step- The
extraOptionsobject, which contains the path to - your Automatic Encryption Shared Library
- The
Map<String, Object> extraOptions = new HashMap<String, Object>(); extraOptions.put("cryptSharedLibPath", getEnv("SHARED_LIB_PATH")); // Path to your Automatic Encryption Shared Library AutoEncryptionSettings autoEncryptionSettings = AutoEncryptionSettings.builder() .keyVaultNamespace(keyVaultNamespace) .kmsProviders(kmsProviderCredentials) .extraOptions(extraOptions) .build(); Create an
autoEncryptionOptionsobject that contains the following options:The namespace of your Key Vault collection
The
kmsProvidersobject, defined in the previous step- The
sharedLibraryPathOptionsobject, which contains the path to - your Automatic Encryption Shared Library
- The
const extraOptions = { cryptSharedLibPath: process.env.SHARED_LIB_PATH, // Path to your Automatic Encryption Shared Library }; const autoEncryptionOptions = { keyVaultNamespace, kmsProviders, extraOptions, }; Create an
AutoEncryptionOptsobject that contains the following options:The
kms_provider_credentialsobject, defined in the previous stepThe namespace of your Key Vault collection
The path to your Automatic Encryption Shared Library
auto_encryption_options = AutoEncryptionOpts( kms_provider_credentials, key_vault_namespace, crypt_shared_lib_path=os.environ['SHARED_LIB_PATH'] # Path to your Automatic Encryption Shared Library> ) 注意
自动加密选项
自动加密选项向自动加密共享库提供配置信息,这将修改应用程序在访问加密字段时的行为。
To learn more about the Automatic Encryption Shared Library, see the 自动加密共享库 page.
Create a Client to Set Up an Encrypted Collection
To create a client used to encrypt and decrypt data in your collection, instantiate a new
MongoClientby using your connection URI and your automatic encryption options.const encryptedClient = Mongo(uri, autoEncryptionOptions); IMPORTANT: If you are using the .NET/C# Driver version 3.0 or later, you must add the following code to your application before instantiating a new
MongoClient:MongoClientSettings.Extensions.AddAutoEncryption(); // .NET/C# Driver v3.0 or later only Instantiate a new
MongoClientby using your connection URI and automatic encryption options:var clientSettings = MongoClientSettings.FromConnectionString(uri); clientSettings.AutoEncryptionOptions = qeHelpers.GetAutoEncryptionOptions( keyVaultNamespace, kmsProviderCredentials); var encryptedClient = new MongoClient(clientSettings); encryptedClient, err := mongo.Connect( context.TODO(), options.Client().ApplyURI(uri).SetAutoEncryptionOptions(autoEncryptionOptions), ) if err != nil { panic(fmt.Sprintf("Unable to connect to MongoDB: %v\n", err)) } defer func() { _ = encryptedClient.Disconnect(context.TODO()) }() MongoClientSettings clientSettings = MongoClientSettings.builder() .applyConnectionString(new ConnectionString(uri)) .autoEncryptionSettings(autoEncryptionSettings) .build(); try (MongoClient encryptedClient = MongoClients.create(clientSettings)) { const encryptedClient = new MongoClient(uri, { autoEncryption: autoEncryptionOptions, }); encrypted_client = MongoClient( uri, auto_encryption_opts=auto_encryption_options) Specify Fields to Encrypt
To encrypt a field, add it to the encryption schema. To enable queries on a field, add the "queries" property. Create the encryption schema as follows:
const encryptedFieldsMap = { encryptedFields: { fields: [ { path: "patientRecord.ssn", bsonType: "string", queries: { queryType: "equality" }, }, { path: "patientRecord.billing", bsonType: "object", }, ], }, }; var encryptedFields = new BsonDocument { { "fields", new BsonArray { new BsonDocument { { "keyId", BsonNull.Value }, { "path", "patientRecord.ssn" }, { "bsonType", "string" }, { "queries", new BsonDocument("queryType", "equality") } }, new BsonDocument { { "keyId", BsonNull.Value }, { "path", "patientRecord.billing" }, { "bsonType", "object" } } } } }; encryptedFieldsMap := bson.M{ "fields": []bson.M{ bson.M{ "keyId": nil, "path": "patientRecord.ssn", "bsonType": "string", "queries": []bson.M{ { "queryType": "equality", }, }, }, bson.M{ "keyId": nil, "path": "patientRecord.billing", "bsonType": "object", }, }, } BsonDocument encryptedFieldsMap = new BsonDocument().append("fields", new BsonArray(Arrays.asList( new BsonDocument() .append("keyId", new BsonNull()) .append("path", new BsonString("patientRecord.ssn")) .append("bsonType", new BsonString("string")) .append("queries", new BsonDocument() .append("queryType", new BsonString("equality"))), new BsonDocument() .append("keyId", new BsonNull()) .append("path", new BsonString("patientRecord.billing")) .append("bsonType", new BsonString("object"))))); const encryptedFieldsMap = { encryptedFields: { fields: [ { path: "patientRecord.ssn", bsonType: "string", queries: { queryType: "equality" }, }, { path: "patientRecord.billing", bsonType: "object", }, ], }, }; encrypted_fields_map = { "fields": [ { "path": "patientRecord.ssn", "bsonType": "string", "queries": [{"queryType": "equality"}] }, { "path": "patientRecord.billing", "bsonType": "object", } ] } 注意
In the previous code sample, both the "ssn" and "billing" fields are encrypted, but only the "ssn" field can be queried.
Create the Collection
Instantiate
ClientEncryptionto access the API for the encryption helper methods.const clientEncryption = encryptedClient.getClientEncryption(); var clientEncryptionOptions = new ClientEncryptionOptions( keyVaultClient: keyVaultClient, keyVaultNamespace: keyVaultNamespace, kmsProviders: kmsProviderCredentials ); var clientEncryption = new ClientEncryption(clientEncryptionOptions); opts := options.ClientEncryption(). SetKeyVaultNamespace(keyVaultNamespace). SetKmsProviders(kmsProviderCredentials) clientEncryption, err := mongo.NewClientEncryption(encryptedClient, opts) if err != nil { panic(fmt.Sprintf("Unable to create a ClientEncryption instance due to the following error: %s\n", err)) } ClientEncryptionSettings clientEncryptionSettings = ClientEncryptionSettings.builder() .keyVaultMongoClientSettings(MongoClientSettings.builder() .applyConnectionString(new ConnectionString(uri)) .build()) .keyVaultNamespace(keyVaultNamespace) .kmsProviders(kmsProviderCredentials) .build(); ClientEncryption clientEncryption = ClientEncryptions.create(clientEncryptionSettings); const clientEncryption = new ClientEncryption( encryptedClient, autoEncryptionOptions ); client_encryption = ClientEncryption( kms_providers=kms_provider_credentials, key_vault_namespace=key_vault_namespace, key_vault_client=encrypted_client, codec_options=CodecOptions(uuid_representation=STANDARD) ) Because you are using a local Customer Master Key, you don't need to provide Customer Master Key credentials. Create a variable containing an empty object to use in place of credentials when you create your encrypted collection.
customerMasterKeyCredentials = {}; var customerMasterKeyCredentials = new BsonDocument(); cmkCredentials := map[string]string{} BsonDocument customerMasterKeyCredentials = new BsonDocument(); customerMasterKeyCredentials = {}; customer_master_key_credentials = {} Create your encrypted collection by using the encryption helper method accessed through the
ClientEncryptionclass. This method automatically generates data encryption keys for your encrypted fields and creates the encrypted collection:await clientEncryption.createEncryptedCollection( encryptedDatabaseName, encryptedCollectionName, { provider: kmsProviderName, createCollectionOptions: encryptedFieldsMap, masterKey: customerMasterKeyCredentials, } ); The C# version of this tutorial uses separate classes as data models to represent the document structure. Add the following
Patient,PatientRecord, andPatientBillingclasses to your project:using MongoDB.Bson; using MongoDB.Bson.Serialization.Attributes; [] public class Patient { public ObjectId Id { get; set; } public string PatientName { get; set; } public PatientRecord PatientRecord { get; set; } } public class PatientRecord { public string Ssn { get; set; } public PatientBilling Billing { get; set; } public int BillAmount { get; set; } } public class PatientBilling { public string CardType { get; set; } public long CardNumber { get; set; } } After you've added these classes, create your encrypted collection by using the encryption helper method accessed through the
ClientEncryptionclass. This method automatically generates data encryption keys for your encrypted fields and creates the encrypted collection:var createCollectionOptions = new CreateCollectionOptions<Patient> { EncryptedFields = encryptedFields }; clientEncryption.CreateEncryptedCollection(patientDatabase, encryptedCollectionName, createCollectionOptions, kmsProviderName, customerMasterKeyCredentials); The method that creates the encrypted collection requires a reference to a database 对象 rather than the database name. You can obtain this reference by using a method on your client object.
The Golang version of this tutorial uses data models to represent the document structure. Add the following structs to your project to represent the data in your collection:
type PatientDocument struct { PatientName string `bson:"patientName"` PatientID int32 `bson:"patientId"` PatientRecord PatientRecord `bson:"patientRecord"` } type PatientRecord struct { SSN string `bson:"ssn"` Billing PaymentInfo `bson:"billing"` BillAmount int `bson:"billAmount"` } type PaymentInfo struct { Type string `bson:"type"` Number string `bson:"number"` } After you've added these classes, create your encrypted collection by using the encryption helper method accessed through the
ClientEncryptionclass. This method automatically generates data encryption keys for your encrypted fields and creates the encrypted collection:createCollectionOptions := options.CreateCollection().SetEncryptedFields(encryptedFieldsMap) _, _, err = clientEncryption.CreateEncryptedCollection( context.TODO(), encryptedClient.Database(encryptedDatabaseName), encryptedCollectionName, createCollectionOptions, kmsProviderName, customerMasterKey, ) The method that creates the encrypted collection requires a reference to a database 对象 rather than the database name. You can obtain this reference by using a method on your client object.
Create your encrypted collection by using the encryption helper method accessed through the
ClientEncryptionclass. This method automatically generates data encryption keys for your encrypted fields and creates the encrypted collection:CreateCollectionOptions createCollectionOptions = new CreateCollectionOptions().encryptedFields(encryptedFieldsMap); CreateEncryptedCollectionParams encryptedCollectionParams = new CreateEncryptedCollectionParams(kmsProviderName); encryptedCollectionParams.masterKey(customerMasterKeyCredentials); try { clientEncryption.createEncryptedCollection( encryptedClient.getDatabase(encryptedDatabaseName), encryptedCollectionName, createCollectionOptions, encryptedCollectionParams); } The method that creates the encrypted collection requires a reference to a database 对象 rather than the database name. You can obtain this reference by using a method on your client object.
Create your encrypted collection by using the encryption helper method accessed through the
ClientEncryptionclass. This method automatically generates data encryption keys for your encrypted fields and creates the encrypted collection:注意
Import ClientEncryption
使用 Node.js 驱动程序 v6.0 及更高版本时,必须从
mongodb导入ClientEncryption。对于较早的驱动程序版本,请从
mongodb-client-encryption导入ClientEncryption。await clientEncryption.createEncryptedCollection( encryptedDatabase, encryptedCollectionName, { provider: kmsProviderName, createCollectionOptions: encryptedFieldsMap, masterKey: customerMasterKeyCredentials, } ); The method that creates the encrypted collection requires a reference to a database 对象 rather than the database name. You can obtain this reference by using a method on your client object.
Create your encrypted collection by using the encryption helper method accessed through the
ClientEncryptionclass. This method automatically generates data encryption keys for your encrypted fields and creates the encrypted collection:client_encryption.create_encrypted_collection( encrypted_client[encrypted_database_name], encrypted_collection_name, encrypted_fields_map, kms_provider_name, customer_master_key_credentials, ) The method that creates the encrypted collection requires a reference to a database 对象 rather than the database name. You can obtain this reference by using a method on your client object.
插入具有加密字段的文档
Create a sample document that describes a patient's personal information.
Use the encrypted client to insert it into the patients collection,
as shown in the following example:
const patientDocument = { patientName: "Jon Doe", patientId: 12345678, patientRecord: { ssn: "987-65-4320", billing: { type: "Visa", number: "4111111111111111", }, billAmount: 1500, }, }; const encryptedCollection = encryptedClient .getDB(encryptedDatabaseName) .getCollection(encryptedCollectionName); const insertResult = await encryptedCollection.insertOne(patientDocument);
Create a sample document that describes a patient's personal information.
Use the encrypted client to insert it into the patients collection,
as shown in the following example:
var patient = new Patient { PatientName = "Jon Doe", Id = new ObjectId(), PatientRecord = new PatientRecord { Ssn = "987-65-4320", Billing = new PatientBilling { CardType = "Visa", CardNumber = 4111111111111111, }, BillAmount = 1500 } }; var encryptedCollection = encryptedClient.GetDatabase(encryptedDatabaseName). GetCollection<Patient>(encryptedCollectionName); encryptedCollection.InsertOne(patient);
Create a sample document that describes a patient's personal information.
Use the encrypted client to insert it into the patients collection,
as shown in the following example:
patientDocument := &PatientDocument{ PatientName: "Jon Doe", PatientID: 12345678, PatientRecord: PatientRecord{ SSN: "987-65-4320", Billing: PaymentInfo{ Type: "Visa", Number: "4111111111111111", }, BillAmount: 1500, }, } coll := encryptedClient.Database(encryptedDatabaseName).Collection(encryptedCollectionName) _, err = coll.InsertOne(context.TODO(), patientDocument) if err != nil { panic(fmt.Sprintf("Unable to insert the patientDocument: %s", err)) }
This tutorial uses POJOs as data models to represent the document structure. To set up your application to use POJOs, add the following code:
CodecProvider pojoCodecProvider = PojoCodecProvider.builder().automatic(true).build(); CodecRegistry pojoCodecRegistry = fromRegistries(getDefaultCodecRegistry(), fromProviders(pojoCodecProvider));
To learn more about Java POJOs, see the Plain Old Java Object wikipedia article.
This tutorial uses the following POJOs:
PatientPatientRecordPatientBilling
You can view these classes in the models package of the complete Java application.
Add these POJO classes to your application. Then, create an instance
of a Patient that describes a patient's personal information. Use
the encrypted client to insert it into the patients collection,
as shown in the following example:
MongoDatabase encryptedDb = encryptedClient.getDatabase(encryptedDatabaseName).withCodecRegistry(pojoCodecRegistry); MongoCollection<Patient> collection = encryptedDb.getCollection(encryptedCollectionName, Patient.class); PatientBilling patientBilling = new PatientBilling("Visa", "4111111111111111"); PatientRecord patientRecord = new PatientRecord("987-65-4320", patientBilling, 1500); Patient patientDocument = new Patient("Jon Doe", patientRecord); InsertOneResult result = collection.insertOne(patientDocument);
Create a sample document that describes a patient's personal information.
Use the encrypted client to insert it into the patients collection,
as shown in the following example:
const patientDocument = { patientName: "Jon Doe", patientId: 12345678, patientRecord: { ssn: "987-65-4320", billing: { type: "Visa", number: "4111111111111111", }, billAmount: 1500, }, }; const encryptedCollection = encryptedClient .db(encryptedDatabaseName) .collection(encryptedCollectionName); const result = await encryptedCollection.insertOne(patientDocument);
Create a sample document that describes a patient's personal information.
Use the encrypted client to insert it into the patients collection,
as shown in the following example:
patient_document = { "patientName": "Jon Doe", "patientId": 12345678, "patientRecord": { "ssn": "987-65-4320", "billing": { "type": "Visa", "number": "4111111111111111", }, "billAmount": 1500, }, } encrypted_collection = encrypted_client[encrypted_database_name][encrypted_collection_name] result = encrypted_collection.insert_one(patient_document)
Query on an Encrypted Field
The following code sample executes a find query on an encrypted field and prints the decrypted data:
const findResult = await encryptedCollection.findOne({ "patientRecord.ssn": "987-65-4320", }); console.log(findResult);
var ssnFilter = Builders<Patient>.Filter.Eq("patientRecord.ssn", patient.PatientRecord.Ssn); var findResult = await encryptedCollection.Find(ssnFilter).ToCursorAsync(); Console.WriteLine(findResult.FirstOrDefault().ToJson());
var findResult PatientDocument err = coll.FindOne( context.TODO(), bson.M{"patientRecord.ssn": "987-65-4320"}, ).Decode(&findResult)
Patient findResult = collection.find( new BsonDocument() .append("patientRecord.ssn", new BsonString("987-65-4320"))) .first(); System.out.println(findResult);
const findResult = await encryptedCollection.findOne({ "patientRecord.ssn": "987-65-4320", }); console.log(findResult);
find_result = encrypted_collection.find_one({ "patientRecord.ssn": "987-65-4320" }) print(find_result)
The output of the preceding code sample should look similar to the following:
{ "_id": { "$oid": "648b384a722cb9b8392df76a" }, "name": "Jon Doe", "record": { "ssn": "987-65-4320", "billing": { "type": "Visa", "number": "4111111111111111" }, "billAmount": 1500 }, "__safeContent__": [ { "$binary": { "base64": "L1NsYItk0Sg+oL66DBj6IYHbX7tveANQyrU2cvMzD9Y=", "subType": "00" } } ] }
警告
不要修改 __safeContent__ 字段
__safeContent__ 字段对于 Queryable Encryption 至关重要。请勿修改此字段的内容。
了解详情
To view a tutorial on production-ready Queryable Encryption with a remote KMS, see Tutorials.
To learn how Queryable Encryption works, see Fundamentals.
如需详细了解本指南中提到的主题,请参阅以下链接:
Learn more about Queryable Encryption components on the 参考 page.
Learn how Customer Master Keys and Data Encryption Keys work on the 加密密钥和密钥保管库 page.
See how KMS Providers manage your Queryable Encryption keys on the KMS 提供商 page.