add explicit encryption example (#1730)

Emily Giurleo · web-flow · commit c41aefe8304b · 2020-02-26T20:41:22.000-05:00
diff --git a/source/tutorials/client-side-encryption.txt b/source/tutorials/client-side-encryption.txt
@@ -165,7 +165,79 @@ or creating a schema map, see later sections of this tutorial.
 
 Explicit Encryption
 -------------------
-Documentation for explicit encryption will be provided soon.
+Explicit encryption is a feature that allows users to encrypt and decrypt
+individual pieces of data such as strings, integers, or symbols. Explicit
+encryption is a community feature and does not require an enterprise build
+of the MongoDB server to use. To perform all explicit encryption and decryption
+operations, use an instance of the ClientEncryption class.
+
+The following is an example of using explicit encryption with a local encryption
+master key to encrypt a piece of data before inserting it into the database,
+and then decrypting it after reading it from the database.
+
+.. code-block:: ruby
+
+  require 'mongo'
+
+  # Generate a local encryption master key
+  # To reuse this master key, persist it to a file or environment variable
+  # on your machine.
+  local_master_key = Base64.encode64(SecureRandom.random_bytes(96))
+
+  kms_providers = {
+    local: {
+      key: local_master_key
+    }
+  }
+
+  # Create an encryption data key and insert it into the key vault collection
+  key_vault_client = Mongo::Client.new(['localhost:27017'])
+
+  client_encryption = Mongo::ClientEncryption.new(
+    key_vault_client,
+    {
+      key_vault_namespace: 'admin.datakeys',
+      kms_providers: kms_providers
+    }
+  )
+
+  data_key_id = client_encryption.create_data_key('local')
+
+  # The value to encrypt
+  value = 'sensitive data'
+
+  # Encrypt the value
+  encrypted_value = client_encryption.encrypt(
+    'sensitive data',
+    {
+      key_id: data_key_id,
+      algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
+    }
+  )
+
+  # Create the client you will use to read and write the data to MongoDB
+  client = Mongo::Client.new(['localhost:27017'])
+  collection = client.use(:encryption_db)[:encryption_coll]
+  collection.drop # Make sure there is no data in the collection
+
+  # Insert the encrypted value into the collection
+  collection.insert_one(encrypted_field: encrypted_value)
+
+  # Use the client to read the encrypted value from the database, then
+  # use the ClientEncryption object to decrypt it
+  find_result = collection.find(encrypted_field: encrypted_value).first['encrypted_field']
+  # => <BSON::Binary...> (the find result is encrypted)
+
+  unencrypted_result = client_encryption.decrypt(find_result)
+  # => "sensitive data"
+
+For more information about creating an encryption master key, creating a data key,
+or creating a schema map, see later sections of this tutorial.
+
+.. seealso::
+  `Creating A Master Key`_,
+  `Creating A Data Key`_,
+  `Creating A Schema Map`_,
 
 Creating a Master Key
 ---------------------
