@@ -375,229 +375,6 @@ master key and create data keys, see the following sections of this tutorial:
375375- :ref:`Creating A Master Key <creating-a-master-key>`
376376- :ref:`Creating A Data Key <creating-a-data-key>`
377377
378- Queryable Encryption
379- ====================
380-
381- Queryable encryption is a new feature in MongoDB 6.0. It also requires
382- libmongocrypt version 1.5.2 or above.
383-
384- You can find more information about queryable encryption in `MongoDB Manual
385- <https://www.mongodb.com/docs/upcoming/core/queryable-encryption/queryable-encryption/>`_
386-
387- .. note::
388-
389- The queryable encryption feature is in public technical preview.
390- Therefore, the following options should be considered experimental
391- and are subject to change:
392-
393- - ``:encrypted_fields_map`` and ``:bypass_query_analysis`` in auto encryption options.
394- - ``:contention_factor`` and ``:query_type`` in client encryption options.
395-
396- Below is an example of using automatic queryable encryption using the Ruby driver:
397-
398- .. code-block:: ruby
399-
400- require 'mongo'
401-
402- #####################################
403- # Step 1: Create a local master key #
404- #####################################
405-
406- # A local master key is a 96-byte binary blob.
407- local_master_key = SecureRandom.random_bytes(96)
408- # => "\xB2\xBE\x8EN\xD4\x14\xC2\x13\xC3..."
409-
410- #############################
411- # Step 2: Create a data key #
412- #############################
413-
414- kms_providers = {
415- local: {
416- key: local_master_key
417- }
418- }
419-
420- # The key vault client is a Mongo::Client instance
421- # that will be used to store your data keys.
422- key_vault_client = Mongo::Client.new('mongodb://localhost:27017,localhost:27018')
423-
424- # Use an instance of Mongo::ClientEncryption to create a new data key
425- client_encryption = Mongo::ClientEncryption.new(
426- key_vault_client,
427- key_vault_namespace: 'encryption.__keyVault',
428- kms_providers: kms_providers
429- )
430-
431- data_key_id = client_encryption.create_data_key('local')
432- # => <BSON::Binary... type=ciphertext...>
433-
434- #######################################################
435- # Step 3: Configure Mongo::Client for auto-encryption #
436- #######################################################
437-
438- # Create an encrypted fields map, which tells the Mongo::Client which fields to encrypt.
439- encrypted_fields_map = {
440- 'encryption_db.encryption_coll' => {
441- fields: [
442- {
443- path: 'encrypted_field',
444- bsonType: 'string',
445- keyId: data_key_id,
446- queries: {
447- queryType: 'equality'
448- }
449- }
450- ]
451- }
452- }
453-
454- # Configure the client for automatic encryption
455- client = Mongo::Client.new(
456- 'mongodb://localhost:27017,localhost:27018',
457- auto_encryption_options: {
458- key_vault_namespace: 'encryption.__keyVault',
459- kms_providers: kms_providers,
460- encrypted_fields_map: encrypted_fields_map,
461- },
462- database: 'encryption_db'
463- )
464-
465- # Make sure there is no data in the collection.
466- client.database.drop
467-
468- # Create encrypted collection explicitly.
469- collection = client['encryption_coll'].create
470-
471- # The string "sensitive data" will be encrypted and stored in the database
472- # as ciphertext
473- collection.insert_one(encrypted_field: 'sensitive data')
474-
475- # The data is decrypted before being returned to the user
476- collection.find(encrypted_field: 'sensitive data').first['encrypted_field']
477- # => "sensitive data"
478-
479- # A client with no auto_encryption_options is unable to decrypt the data
480- client_no_encryption = Mongo::Client.new(['localhost:27017'], database: 'encryption_db')
481- client_no_encryption['encryption_coll'].find.first['encrypted_field']
482- # => <BSON::Binary... type=ciphertext...>
483-
484- The example above demonstrates using automatic encryption with a local master key.
485- For more information about using other key management services to create a
486- master key and create data keys, see the following sections of this tutorial:
487-
488- - :ref:`Creating A Master Key <creating-a-master-key>`
489- - :ref:`Creating A Data Key <creating-a-data-key>`
490-
491- Below is an example of explicit queryable encryption.
492-
493- .. code-block:: ruby
494-
495- require 'mongo'
496-
497- #####################################
498- # Step 1: Create a local master key #
499- #####################################
500-
501- # A local master key is a 96-byte binary blob.
502- local_master_key = SecureRandom.random_bytes(96)
503- # => "\xB2\xBE\x8EN\xD4\x14\xC2\x13\xC3..."
504-
505- #############################
506- # Step 2: Create a data key #
507- #############################
508-
509- kms_providers = {
510- local: {
511- key: local_master_key
512- }
513- }
514-
515- # The key vault client is a Mongo::Client instance
516- # that will be used to store your data keys.
517- key_vault_client = Mongo::Client.new('mongodb://localhost:27017,localhost:27018')
518-
519- # Use an instance of Mongo::ClientEncryption to create a new data key
520- client_encryption = Mongo::ClientEncryption.new(
521- key_vault_client,
522- key_vault_namespace: 'encryption.__keyVault',
523- kms_providers: kms_providers
524- )
525-
526- data_key_id = client_encryption.create_data_key('local')
527- # => <BSON::Binary... type=ciphertext...>
528-
529- ##########################################
530- # Step 3: Create an encrypted collection #
531- ##########################################
532- encrypted_fields = {
533- fields: [
534- {
535- path: 'encrypted_field',
536- bsonType: 'string',
537- keyId: data_key_id,
538- queries: {
539- queryType: 'equality',
540- contention: 0
541- }
542- }
543- ]
544- }
545-
546- # Create the client you will use to read and write the data to MongoDB
547- # Please note that to insert or query with an "Indexed" encrypted payload,
548- # you should use a ``Mongo::Client`` that is configured with ``:auto_encryption_options``.
549- # ``auto_encryption_options[:bypass_query_analysis]`` may be true.
550- # ``auto_encryption_options[:bypass_auto_encryption]`` must be not set or false.
551- client = Mongo::Client.new(
552- ['localhost:27017'],
553- auto_encryption_options: {
554- key_vault_namespace: 'encryption.__keyVault',
555- kms_providers: kms_providers,
556- bypass_query_analysis: true,
557- },
558- database: 'encryption_db',
559- )
560-
561- # Make sure there is no data in the collection.
562- client['encryption_coll'].drop(encrypted_fields: encrypted_fields)
563- # Create encrypted collection explicitly.
564- client['encryption_coll'].create(encrypted_fields: encrypted_fields)
565-
566- #####################################################
567- # Step 4: Encrypt a string with explicit encryption #
568- #####################################################
569-
570- # The value to encrypt
571- value = 'sensitive data'
572-
573- # Encrypt the value
574- insert_payload = client_encryption.encrypt(
575- 'sensitive data',
576- {
577- key_id: data_key_id,
578- algorithm: "Indexed",
579- contention_factor: 0
580- }
581- )
582-
583- # Insert the encrypted value into the collection
584- client['encryption_coll'].insert_one(encrypted_field: insert_payload)
585-
586- # Use the client to read the encrypted value from the database, then
587- # use the ClientEncryption object to decrypt it.
588- find_payload = client_encryption.encrypt(
589- 'sensitive data',
590- {
591- key_id: data_key_id,
592- algorithm: "Indexed",
593- contention_factor: 0,
594- query_type: "equality"
595- }
596- )
597-
598- find_result = client['encryption_coll'].find(encrypted_field: find_payload).first['encrypted_field']
599- # => 'sensitive data'
600-
601378.. _creating-a-master-key:
602379
603380Creating a Master Key
0 commit comments