On this page本页内容
Enterprise Feature
The automatic feature of field level encryption is only available in MongoDB 4.2 Enterprise and MongoDB Atlas 4.2 clusters.
Official MongoDB 4.2-compatible drivers and the MongoDB 4.2 mongo shell support automatically encrypting fields in read and write operations. For a complete list of official 4.2-compatible drivers with support for client-side field level encryption, see Driver Compatibility Table.
Applications must create a database connection object (e.g. MongoClient) with the automatic encryption configuration settings. The configuration settings must include automatic encryption encryption rules using a strict subset of the JSON Schema Draft 4 standard syntax and encryption-specific schema keywords. Applications do not have to modify code associated with constructing the read/write operation. See Automatic Encryption Rules for complete documentation on automatic encryption rules.
The official MongoDB 4.2-compatible drivers and 4.2 mongo shell use the Enterprise-only mongocryptd process to parse the automatic encryption rules and apply the encryption rules when reading or writing documents:
Each official MongoDB 4.2-compatible driver introduces new functionality for supporting automatic encryption and data encryption key management. Defer to your preferred driver’s documentation for language-specific instructions on implementing automatic client-side field level encryption.
The MongoDB 4.2 mongo shell adds an additional option to the Mongo() method for instantiating a database connection with automatic client-side field level encryption. For a complete example, see Connect to a MongoDB Cluster with Automatic Client-Side Encryption Enabled.
Automatic client-side field level encryption requires access to the mongocryptd process on the client host machine. See mongocryptd for complete documentation on installation. The official MongoDB 4.2-compatible drivers have additional options for managing the mongocryptd process. Generally, the 4.2-compatible drivers and 4.2 mongo shell can access the mongocryptd process if it is in the system PATH.
Applications must specify the following components when instantiating the database connection to enable automatic client-side field level encryption:
4.2-compatible drivers and the 4.2 mongo shell need access to the KMS to encrypt and decrypt protected fields or to create new data encryption keys.
The MongoDB 4.2 server supports using schema validation to enforce encryption of specific fields in a collection. Clients performing automatic client-side field level encryption have specific behavior depending on the database connection configuration:
schemaMap object contains a key for the specified collection, the client uses that object to perform automatic field level encryption and ignores the remote schema. At minimum, the local rules must
encrypt those fields that the remote schema marks as requiring encryption.schemaMap object does not contain a key for the specified collection, the client downloads the server-side remote schema for the collection and uses it to perform automatic field level encryption.
This configuration requires the client to trust the server has a valid schema with respect to automatic field level encryption. The client only uses the remote schema to perform automatic field level encryption and does not enforce any other validation rules specified in the schema.
For complete documentation on server-side client-side field level encryption enforcement, see Enforce Field Level Encryption Schema.