|
| 1 | ++++ |
| 2 | +date = "2019-06-13T09:00:01+01:00" |
| 3 | +title = "Client Site Encryption" |
| 4 | +[menu.main] |
| 5 | + parent = "Sync Tutorials" |
| 6 | + identifier = "Sync Client Side Encryption" |
| 7 | + weight = 16 |
| 8 | + pre = "<i class='fa fa-lock'></i>" |
| 9 | ++++ |
| 10 | + |
| 11 | +# Client Site Encryption |
| 12 | + |
| 13 | +New in MongoDB 4.2 client side encryption allows administrators and developers to encrypt specific data fields in addition to other |
| 14 | +MongoDB encryption features. |
| 15 | + |
| 16 | +With field level encryption, developers can encrypt fields client side without any server-side |
| 17 | +configuration or directives. Client-side field level encryption supports workloads where applications must guarantee that |
| 18 | +unauthorized parties, including server administrators, cannot read the encrypted data. |
| 19 | + |
| 20 | +## Installation |
| 21 | + |
| 22 | +The recommended way to get started using field level encryption in your project is with a dependency management system. |
| 23 | +Field level encryption requires additional packages to be installed as well as the driver itself. |
| 24 | +See the [installation]({{< relref "driver/getting-started/installation.md" >}}) for instructions on how to install the MongoDB driver. |
| 25 | + |
| 26 | +{{< distroPicker >}} |
| 27 | + |
| 28 | +### libmongocrypt |
| 29 | + |
| 30 | +There is a separate jar file containing`libmongocrypt` bindings. |
| 31 | + |
| 32 | +{{< install artifactId="mongodb-mongocrypt" version="1.0.0-beta1">}} |
| 33 | + |
| 34 | +If the jar fails to run there are separate jar files for specific architectures: |
| 35 | + |
| 36 | +#### RHEL 7.0* |
| 37 | +{{< install artifactId="mongodb-crypt" version="1.0.0-beta1" classifier="linux64-rhel70">}} |
| 38 | + |
| 39 | +#### OSX* |
| 40 | +{{< install artifactId="mongodb-crypt" version="1.0.0-beta1" classifier="osx">}} |
| 41 | + |
| 42 | +#### Windows* |
| 43 | +{{< install artifactId="mongodb-crypt" version="1.0.0-beta1" classifier="win64">}} |
| 44 | + |
| 45 | +#### Ubuntu 16.04 |
| 46 | +{{< install artifactId="mongodb-crypt" version="1.0.0-beta1" classifier="linux64-ubuntu1604">}} |
| 47 | + |
| 48 | + |
| 49 | +* Distribution is included in the main `mongodb-crypt` jar file. |
| 50 | + |
| 51 | +### mongocryptd configuration |
| 52 | + |
| 53 | +`libmongocrypt` requires the `mongocryptd` daemon / process to be running. A specific daemon / process uri can be configured in the |
| 54 | +`AutoEncryptionSettings` class by setting `mongocryptdURI` in the `extraOptions`. |
| 55 | + |
| 56 | +More information about libmongocrypt will soon be available from the official documentation. |
| 57 | + |
| 58 | + |
| 59 | +### Examples |
| 60 | + |
| 61 | +The following is a sample app that assumes key and schema have already been created in MongoDB. The example uses a local key, |
| 62 | +however using AWS Key Management Service is also an option. The data in the `encryptedField` field is automatically encrypted on the |
| 63 | +insert and decrypted when using find on the client side: |
| 64 | + |
| 65 | +```java |
| 66 | +import com.mongodb.AutoEncryptionSettings; |
| 67 | +import com.mongodb.MongoClientSettings; |
| 68 | +import com.mongodb.client.MongoClients; |
| 69 | +import org.bson.Document; |
| 70 | + |
| 71 | +import java.security.SecureRandom; |
| 72 | +import java.util.Map; |
| 73 | + |
| 74 | +public class ClientSideEncryptionSimpleTest { |
| 75 | + |
| 76 | + public static void main(String[] args) { |
| 77 | + |
| 78 | + // This would have to be the same master key as was used to create the encryption key |
| 79 | + var localMasterKey = new byte[96]; |
| 80 | + new SecureRandom().nextBytes(localMasterKey); |
| 81 | + |
| 82 | + var kmsProviders = Map.of("local", Map.<String, Object>of("key", localMasterKey)); |
| 83 | + var keyVaultNamespace = "admin.datakeys"; |
| 84 | + |
| 85 | + var autoEncryptionSettings = AutoEncryptionSettings.builder() |
| 86 | + .keyVaultNamespace(keyVaultNamespace) |
| 87 | + .kmsProviders(kmsProviders) |
| 88 | + .build(); |
| 89 | + |
| 90 | + var clientSettings = MongoClientSettings.builder() |
| 91 | + .autoEncryptionSettings(autoEncryptionSettings) |
| 92 | + .build(); |
| 93 | + |
| 94 | + var client = MongoClients.create(clientSettings); |
| 95 | + var collection = client.getDatabase("test").getCollection("coll"); |
| 96 | + collection.drop(); // Clear old data |
| 97 | + |
| 98 | + collection.insertOne(new Document("encryptedField", "123456789")); |
| 99 | + |
| 100 | + System.out.println(collection.find().first().toJson()); |
| 101 | + } |
| 102 | +} |
| 103 | +``` |
| 104 | + |
| 105 | +{{% note %}} |
| 106 | +Auto encryption is an **enterprise** only feature. |
| 107 | +{{% /note %}} |
| 108 | + |
| 109 | +The following example shows how to configure the `AutoEncryptionSettings` instance to create a new key and setting the json schema map: |
| 110 | + |
| 111 | +```java |
| 112 | +import com.mongodb.ConnectionString; |
| 113 | +import com.mongodb.ClientEncryptionSettings; |
| 114 | +import com.mongodb.client.vault.ClientEncryptions; |
| 115 | + |
| 116 | +... |
| 117 | + |
| 118 | + |
| 119 | +var keyVaultNamespace = "admin.datakeys"; |
| 120 | +var clientEncryptionSettings = ClientEncryptionSettings.builder() |
| 121 | + .keyVaultMongoClientSettings(MongoClientSettings.builder() |
| 122 | + .applyConnectionString(new ConnectionString("mongodb://localhost")) |
| 123 | + .build()) |
| 124 | + .keyVaultNamespace(keyVaultNamespace) |
| 125 | + .kmsProviders(kmsProviders) |
| 126 | + .build(); |
| 127 | + |
| 128 | +var clientEncryption = ClientEncryptions.create(clientEncryptionSettings); |
| 129 | +var dataKeyId = keyVault.createDataKey("local", new DataKeyOptions()); |
| 130 | +var base64DataKeyId = Base64.getEncoder().encodeToString(dataKeyId.getData()); |
| 131 | + |
| 132 | +var dbName = "test"; |
| 133 | +var collName = "coll"; |
| 134 | +var autoEncryptionSettings = AutoEncryptionSettings.builder() |
| 135 | + .keyVaultNamespace(keyVaultNamespace) |
| 136 | + .kmsProviders(kmsProviders) |
| 137 | + .namespaceToLocalSchemaDocumentMap(Map.of(dbName + "." + collName, |
| 138 | + // Need a schema that references the new data key |
| 139 | + BsonDocument.parse("{" + |
| 140 | + " properties: {" + |
| 141 | + " encryptedField: {" + |
| 142 | + " encrypt: {" + |
| 143 | + " keyId: [{" + |
| 144 | + " \"$binary\": {" + |
| 145 | + " \"base64\": \"" + base64DataKeyId + "\"," + |
| 146 | + " \"subType\": \"04\"" + |
| 147 | + " }" + |
| 148 | + " }]," + |
| 149 | + " bsonType: \"string\"," + |
| 150 | + " algorithm: \"AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic\"" + |
| 151 | + " }" + |
| 152 | + " }" + |
| 153 | + " }," + |
| 154 | + " \"bsonType\": \"object\"" + |
| 155 | + "}")) |
| 156 | + ).build(); |
| 157 | +``` |
| 158 | + |
| 159 | +{{% note %}} |
| 160 | +Auto encryption is an **enterprise** only feature. |
| 161 | +{{% /note %}} |
| 162 | + |
| 163 | +**Coming soon:** An example using the community version and demonstrating explicit encryption/decryption. |
0 commit comments