KeyVault.getKeys()

On this page本页内容

New in version 4.2.版本4.2中的新功能。

KeyVault.getKeys()

getKeys() returns all data encryption keys stored in the key vault associated to the database connection.

getKeys() has the following syntax:语法如下所示:

keyVault = db.getMongo().getKeyVault()

keyVault.getKeys()
returns:

Returns all data encryption keys associated to the key vault.

Returns nothing if the key vault is empty.

Behavior行为

Requires Configuring Client-Side Field Level Encryption on Database Connection

The mongo client-side field level encryption methods require a database connection with client-side field level encryption enabled. If the current database connection was not initiated with client-side field level encryption enabled, either:

  • Use the Mongo() constructor from the mongo shell to establish a connection with the required client-side field level encryption options. The Mongo() method supports both Amazon Web Services and Local Key Management Service (KMS) providers for Customer Master Key (CMK) management.

    or

  • Use the mongo shell command line options to establish a connection with the required options. The command line options only support the AWS KMS provider for CMK management.

Example示例

The following example uses a locally managed KMS for the client-side field level encryption configuration.

Configuring client-side field level encryption for a locally managed key requires specifying a base64-encoded 96-byte string with no line breaks. The following operation generates a key that meets the stated requirements and loads it into the mongo shell:

TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")
mongo --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"

Create the client-side field level encryption object using the generated local key string:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "local" : {
"key" : BinData(0, TEST_LOCAL_KEY)    }
  }
}

Use the Mongo() constructor to create a database connection with the client-side field level encryption options. Replace the mongodb://myMongo.example.net URI with the connection string URI of the target cluster.

encryptedClient = Mongo(
"mongodb://myMongo.example.net:27017/?replSetName=myMongo",  ClientSideFieldLevelEncryptionOptions
)

Retrieve the KeyVault object and use the KeyVault.getKeys() method to retrieve all data encryption keys in the key vault:

keyVault.getKeys()

getKeys() returns all data encryption keys in the key vault:

{
  "_id" : UUID("b4b41b33-5c97-412e-a02b-743498346079"),
  "keyMaterial" : BinData(0,"PXRsLOAYxhzTS/mFQAI8486da7BwZgqA91UI7NKz/T/AjB0uJZxTvhvmQQsKbCJYsWVS/cp5Rqy/FUX2zZwxJOJmI3rosPhzV0OI5y1cuXhAlLWlj03CnTcOSRzE/YIrsCjMB0/NyiZ7MRWUYzLAEQnE30d947XCiiHIb8a0kt2SD0so8vZvSuP2n0Vtz4NYqnzF0CkhZSWFa2e2yA=="),
  "creationDate" : ISODate("2019-08-12T21:21:30.569Z"),
  "updateDate" : ISODate("2019-08-12T21:21:30.569Z"),
  "status" : 0,
  "version" : NumberLong(0),
  "masterKey" : {
    "provider" : "aws",
    "key" : "arn:aws:kms:region:account:key/keystring",
    "region" : "region",
    "endpoint" : "kms.region.amazonaws.com:443"
  },
  "keyAltNames" : [
    "dataKeyAlternativeName_alpha"
  ]
}
{
  "_id" : UUID("0aa9dc24-2f28-42da-ad87-26e3930e743c"),
  "keyMaterial" : BinData(0 "PXRsLOAYxhzTS/mFQAI8486da7BwZgqA91UI7NKz/T/AjB0uJZxTvhvmQQsKbCJYsWVS/cp5Rqy/FUX2zZwxJOJmI3rosPhzV0OI5y1cuXhAlLWlj03CnTcOSRzE/YIrsCjMB0/NyiZ7MRWUYzLAEQnE30d947XCiiHIb8a0kt2SD0so8vZvSuP2n0Vtz4NYqnzF0CkhZSWFa2e2yA=="),
  "creationDate" : ISODate("2019-08-12T22:10:44.847Z"),
  "updateDate" : ISODate("2019-08-12T22:10:44.847Z"),
  "status" : 0,
  "version" : NumberLong(0),
  "masterKey" : {
    "provider" : "aws",
    "key" : "arn:aws:kms:region:account:key/keystring"
    "region" : "region",
    "endpoint" : "kms.region.amazonaws.com:443"
  },
  "keyAltNames" : [
    "dataKeyAlternativeName_baker"
  ]
}