diff --git a/source/core/security-automatic-client-side-encryption.txt b/source/core/security-automatic-client-side-encryption.txt index 132ce7a195d..c820887248c 100644 --- a/source/core/security-automatic-client-side-encryption.txt +++ b/source/core/security-automatic-client-side-encryption.txt @@ -17,10 +17,10 @@ Automatic Client-Side Field Level Encryption Overview -------- -Official MongoDB 4.2-compatible drivers and the MongoDB 4.2 +Official MongoDB 4.2+ compatible drivers and the MongoDB 4.2 or later :binary:`~bin.mongo` shell support automatically encrypting fields in read and write operations. For a complete list of official -4.2-compatible drivers with support for client-side field level +4.2+ compatible drivers with support for client-side field level encryption, see :ref:`field-level-encryption-drivers`. Applications must create a database connection object (e.g. @@ -33,10 +33,11 @@ code associated with constructing the read/write operation. See :ref:`field-level-encryption-json-schema` for complete documentation on automatic encryption rules. -The official MongoDB 4.2-compatible drivers and 4.2 :binary:`~bin.mongo` -shell use the Enterprise-only :ref:`field-level-encryption-mongocryptd` -process to parse the automatic encryption rules and apply the encryption -rules when reading or writing documents: +The official MongoDB 4.2+ compatible drivers and 4.2 or later +:binary:`~bin.mongo` shell use the Enterprise-only +:ref:`field-level-encryption-mongocryptd` process to parse the automatic +encryption rules and apply the encryption rules when reading or writing +documents: - For write operations, the driver/shell encrypts field values *prior* to writing to the MongoDB database. @@ -53,9 +54,9 @@ rules when reading or writing documents: Enabling Automatic Client-Side Field Level Encryption ----------------------------------------------------- -Each official MongoDB 4.2-compatible driver introduces new functionality -for supporting automatic encryption and data encryption key management. -Defer to your preferred :ref:`driver's documentation +Each official MongoDB 4.2+ compatible driver introduces new +functionality for supporting automatic encryption and data encryption +key management. Defer to your preferred :ref:`driver's documentation ` for language-specific instructions on implementing automatic client-side field level encryption. @@ -68,9 +69,9 @@ For a complete example, see Automatic client-side field level encryption requires access to the :ref:`mongocryptd` process on the client host machine. See :ref:`mongocryptd` for complete documentation on installation. The -official MongoDB 4.2-compatible drivers have additional options for -managing the ``mongocryptd`` process. Generally, the 4.2-compatible -drivers and 4.2 :binary:`~bin.mongo` shell can access the +official MongoDB 4.2+ compatible drivers have additional options for +managing the ``mongocryptd`` process. Generally, the 4.2+ compatible +drivers and 4.2 or later :binary:`~bin.mongo` shell can access the ``mongocryptd`` process if it is in the system ``PATH``. Applications must specify the following components when instantiating @@ -87,9 +88,9 @@ encryption: specified CMK *prior* to storing them in the key vault, leaving only metadata unencrypted. - 4.2-compatible drivers and the 4.2 :binary:`~bin.mongo` shell need - access to the KMS to encrypt and decrypt protected fields *or* to - create new data encryption keys. + 4.2+ compatible drivers and the 4.2 or later :binary:`~bin.mongo` + shell need access to the KMS to encrypt and decrypt protected fields + *or* to create new data encryption keys. - Per-field automatic encryption rules using :ref:`JSON schema syntax `. @@ -99,9 +100,10 @@ encryption: Server-Side Field Level Encryption Enforcement ---------------------------------------------- -The MongoDB 4.2 server supports using :doc:`schema validation -` to enforce encryption of specific fields in a -collection. Clients performing :ref:`automatic client-side field level +Starting in MongoDB 4.2, the server supports using +:doc:`schema validation ` to enforce encryption +of specific fields in a collection. Clients performing +:ref:`automatic client-side field level encryption ` have specific behavior depending on the :ref:`database connection configuration `: diff --git a/source/core/security-client-side-encryption.txt b/source/core/security-client-side-encryption.txt index 07e9c27a533..ced9f452d65 100644 --- a/source/core/security-client-side-encryption.txt +++ b/source/core/security-client-side-encryption.txt @@ -12,7 +12,7 @@ Client-Side Field Level Encryption .. versionadded:: 4.2 -The :ref:`official MongoDB 4.2-compatible drivers +The :ref:`official MongoDB 4.2+ compatible drivers ` provide a client-side field level encryption framework. Applications can encrypt fields in documents *prior* to transmitting data over the wire to the server. Only @@ -82,24 +82,24 @@ and ``phone``. Encrypted fields are stored as "ssn" : BinData(6,"AaloEw285E3AnfjP+r8ph2YCvMI1+rWzpZK97tV6iz0jx") } -For a complete list of official 4.2-compatible drivers with support +For a complete list of official 4.2+ compatible drivers with support for client-side field level encryption, see :ref:`field-level-encryption-drivers`. For an end-to-end procedure for configuring field level encryption using -select MongoDB 4.2-compatible drivers, see the -:ecosystem:`Client Side Field Level Encryption Guide -`. +select MongoDB 4.2+ compatible drivers, see the +:driver:`Client Side Field Level Encryption Guide +`. Supported Encryption Methods ---------------------------- MongoDB supports two methods of client-side field level encryption using -the official MongoDB 4.2-compatible drivers: +the official MongoDB 4.2+ compatible drivers: Explicit (manual) encryption of fields - Official :ref:`MongoDB 4.2-compatible drivers - ` and the MongoDB 4.2 + Official :ref:`MongoDB 4.2+ compatible drivers + ` and the MongoDB 4.2 or later :binary:`~bin.mongo` shell support explicitly encrypting or decrypting fields with a specific data encryption key and encryption algorithm. @@ -115,8 +115,8 @@ Explicit (manual) encryption of fields Automatic encryption of fields .. include:: /includes/extracts/csfle-enterprise-atlas-only.rst - Official :ref:`MongoDB 4.2-compatible drivers - ` and the MongoDB 4.2 + Official :ref:`MongoDB 4.2+ compatible drivers + ` and the MongoDB 4.2 or later :binary:`~bin.mongo` shell support automatically encrypting fields in read and write operations. @@ -133,10 +133,11 @@ Automatic encryption of fields For more information, see :doc:`/core/security-automatic-client-side-encryption`. -MongoDB 4.2-compatible drivers and the 4.2 :binary:`~bin.mongo` shell -automatically decrypt :bsontype:`Binary` subtype 6 objects created using -client-side field level encryption. For more information on automatic -decryption, see :ref:`field-level-encryption-automatic-decryption`. +MongoDB 4.2+ compatible drivers and the 4.2 or later +:binary:`~bin.mongo` shell automatically decrypt :bsontype:`Binary` +subtype 6 objects created using client-side field level encryption. For +more information on automatic decryption, see +:ref:`field-level-encryption-automatic-decryption`. .. important:: @@ -158,11 +159,11 @@ driver and each encryption component: - ``libmongocrypt`` is the `Apache-licensed open-source `__ core cryptography - library used by the official MongoDB 4.2-compatible drivers and the - :binary:`~bin.mongo` shell for powering client-side field level - encryption. Some drivers may require specific integration steps to - install or link the library. Defer to driver documentation for more - complete information. + library used by the official MongoDB 4.2+ compatible drivers and the + MongoDB 4.2 or later :binary:`~bin.mongo` shell for powering + client-side field level encryption. Some drivers may require specific + integration steps to install or link the library. Defer to driver + documentation for more complete information. - :ref:`mongocryptd` supports :ref:`field-level-encryption-automatic` and is only available with MongoDB Enterprise. ``mongocryptd`` does @@ -251,9 +252,10 @@ Automatic Field Decryption The :bsontype:`BinData ` blob metadata includes the data encryption key ``_id`` and encryption algorithm used to encrypt the -binary data. The 4.2-compatible drivers and 4.2 :binary:`~bin.mongo` -shell use this metadata to attempt automatic decryption ``BinData`` type -6 values. The automatic decryption process works as follows: +binary data. The 4.2+ compatible drivers and 4.2 or later +:binary:`~bin.mongo` shell use this metadata to attempt automatic +decryption of :bsontype:`BinData ` subtype 6 objects. The +automatic decryption process works as follows: 1. Check the :bsontype:`BinData ` blob metadata for the data encryption key and encryption algorithm used to encrypt the @@ -294,9 +296,10 @@ client construction method. Enforce Field Level Encryption Schema ------------------------------------- -The MongoDB 4.2 server supports using :doc:`schema validation -` to enforce encryption of specific fields in a -collection. Use the :ref:`automatic encryption rule keywords +Starting with MongoDB 4.2, the server supports using +:doc:`schema validation ` to enforce encryption +of specific fields in a collection. Use the +:ref:`automatic encryption rule keywords ` with the :query:`$jsonSchema` validation object to indicate which fields require encryption. The server rejects any write operations to that collection @@ -359,7 +362,7 @@ on the :ref:`database connection configuration .. container:: *Automatic client-side field level encryption is available with - MongoDB 4.2 Enterprise only.* + MongoDB Enterprise 4.2 or later only.* - If the connection :ref:`ClientSideFieldLevelEncryptionOptions` ``schemaMap`` object contains a key for the specified collection, the @@ -403,7 +406,7 @@ Driver Compatibility Table -------------------------- MongoDB 4.2 client-side field level encryption is only available with -the following official 4.2-compatible driver versions: +the following official 4.2+ compatible driver versions: .. list-table:: :widths: 20 20 60 diff --git a/source/core/security-explicit-client-side-encryption.txt b/source/core/security-explicit-client-side-encryption.txt index ce968efa4e4..1255bfb7e31 100644 --- a/source/core/security-explicit-client-side-encryption.txt +++ b/source/core/security-explicit-client-side-encryption.txt @@ -13,9 +13,9 @@ Explicit (Manual) Client-Side Field Level Encryption Overview -------- -MongoDB 4.2-compatible drivers and the 4.2 :binary:`~bin.mongo` shell -support explicitly encrypting or decrypting fields with a specific -data encryption key and encryption algorithm. +MongoDB 4.2+ compatible drivers and the 4.2 or later +:binary:`~bin.mongo` shell support explicitly encrypting or decrypting +fields with a specific data encryption key and encryption algorithm. Applications must modify any code associated with constructing read and write operations to include encryption/decryption logic via the driver @@ -30,10 +30,10 @@ performing explicit encryption and decryption: - :method:`ClientEncryption.encrypt()` - :method:`ClientEncryption.decrypt()` -MongoDB 4.2-compatible drivers have specific syntax for performing +MongoDB 4.2+ compatible drivers have specific syntax for performing explicit client-side field level encryption. See :ref:`field-level-encryption-drivers` for a complete list of -4.2-compatible drivers with support for client-side field +4.2+ compatible drivers with support for client-side field level encryption. Defer to the documentation for your preferred driver for specific instructions on performing client-side field level encryption. @@ -85,14 +85,15 @@ to protect those values. Enabling Explicit Client-Side Field Level Encryption ---------------------------------------------------- -Each official MongoDB 4.2-compatible driver introduces new functionality -for supporting client-side field level encryption and data encryption -key management. Defer to your preferred :ref:`driver's documentation -` for language-specific instructions on -implementing explicit client-side field level encryption. +Each official MongoDB 4.2+ compatible driver introduces new +functionality for supporting client-side field level encryption and data +encryption key management. Defer to your preferred +:ref:`driver's documentation ` for +language-specific instructions on implementing explicit client-side +field level encryption. -The MongoDB 4.2 :binary:`~bin.mongo` shell adds an additional option -to the :method:`Mongo()` method for instantiating a database +The MongoDB 4.2 or later :binary:`~bin.mongo` shell adds an additional +option to the :method:`Mongo()` method for instantiating a database connection with explicit client-side field level encryption. For a complete example, see :ref:`mongo-connection-client-side-encryption-enabled`. @@ -111,9 +112,9 @@ encryption: specified CMK *prior* to storing them in the key vault, leaving only metadata unencrypted. - 4.2-compatible drivers and the 4.2 :binary:`~bin.mongo` shell need - access to the KMS to encrypt and decrypt protected fields *or* to - create new data encryption keys. + 4.2+ compatible drivers and the 4.2 or later :binary:`~bin.mongo` + shell need access to the KMS to encrypt and decrypt protected fields + *or* to create new data encryption keys. Server-Side Field Level Encryption Enforcement ---------------------------------------------- diff --git a/source/includes/extracts-4.2-changes.yaml b/source/includes/extracts-4.2-changes.yaml index cbbcb25abb0..8cc9baba81a 100644 --- a/source/includes/extracts-4.2-changes.yaml +++ b/source/includes/extracts-4.2-changes.yaml @@ -636,8 +636,8 @@ content: | * - :binary:`~bin.mongodump` - Use Extended JSON v2.0 (Canonical mode) format for the - metadata. Requires :binary:`~bin.mongorestore` version 4.2+ - that supports Extended JSON v2.0 (Canonical mode or + metadata. Requires :binary:`~bin.mongorestore` version 4.2 or + later that supports Extended JSON v2.0 (Canonical mode or Relaxed) format. .. tip:: @@ -714,10 +714,10 @@ content: | the correct default state of :urioption:`retryWrites` for your specific driver and version. - The official MongoDB 4.2-compatible drivers enable :ref:`retryable-writes` by - default. Applications upgrading to the 4.2-compatible drivers that require + The official MongoDB 4.2+ compatible drivers enable :ref:`retryable-writes` by + default. Applications upgrading to the 4.2+ compatible drivers that require retryable writes may omit the :urioption:`retryWrites=true ` - option. Applications upgrading to the 4.2-compatible drivers that require + option. Applications upgrading to the 4.2+ compatible drivers that require *disabling* retryable writes must include :urioption:`retryWrites=false ` in the connection string. --- diff --git a/source/includes/extracts-client-side-field-level-encryption.yaml b/source/includes/extracts-client-side-field-level-encryption.yaml index 4c01c42af0c..712966f1b9d 100644 --- a/source/includes/extracts-client-side-field-level-encryption.yaml +++ b/source/includes/extracts-client-side-field-level-encryption.yaml @@ -112,7 +112,8 @@ content: | .. admonition:: Enterprise Feature The automatic feature of field level encryption is only available - in MongoDB 4.2 Enterprise and MongoDB Atlas 4.2 clusters. + in MongoDB Enterprise 4.2 or later, and MongoDB Atlas 4.2 or later + clusters. --- ref: csfle-aws-kms-4.2.0-4.2.1-broken content: | diff --git a/source/includes/fact-retryable-writes-failover-election.rst b/source/includes/fact-retryable-writes-failover-election.rst index db963ece603..3bda83886c5 100644 --- a/source/includes/fact-retryable-writes-failover-election.rst +++ b/source/includes/fact-retryable-writes-failover-election.rst @@ -4,7 +4,7 @@ can detect the loss of the primary and automatically :ref:`retry certain write operations ` a single time, providing additional built-in handling of automatic failovers and elections: -- MongoDB 4.2-compatible drivers enable retryable writes by default +- MongoDB 4.2+ compatible drivers enable retryable writes by default - MongoDB 4.0 and 3.6-compatible drivers must explicitly enable retryable writes by including :urioption:`retryWrites=true ` in the :ref:`connection string `. \ No newline at end of file diff --git a/source/reference/connection-string.txt b/source/reference/connection-string.txt index e1f78536776..85d0c475cf9 100644 --- a/source/reference/connection-string.txt +++ b/source/reference/connection-string.txt @@ -334,8 +334,8 @@ Connection options are pairs in the following form: ``name=value``. - The option ``name`` is case insensitive when using a driver. -- The option ``name`` is case insensitive when using a version 4.2+ - :binary:`~bin.mongo` shell. +- The option ``name`` is case insensitive when using a version 4.2 or + later :binary:`~bin.mongo` shell. - The option ``name`` is case sensitive when using a version 4.0 and earlier :binary:`~bin.mongo` shell. @@ -1190,7 +1190,7 @@ Miscellaneous Configuration - ``true``. Enables retryable writes for the connection. - Official MongoDB 4.2-compatible drivers default to ``true``. + Official MongoDB 4.2+ compatible drivers default to ``true``. - ``false``. Disables retryable writes for the connection. diff --git a/source/reference/method/js-client-side-field-level-encryption.txt b/source/reference/method/js-client-side-field-level-encryption.txt index 22c232f37c7..32508665d34 100644 --- a/source/reference/method/js-client-side-field-level-encryption.txt +++ b/source/reference/method/js-client-side-field-level-encryption.txt @@ -16,9 +16,9 @@ Client-Side Field Level Encryption Methods The following methods are for the MongoDB :binary:`~bin.mongo` shell *only*. For instructions on implementing client-side field level -encryption using a MongoDB 4.2-compatible driver, defer to the +encryption using a MongoDB 4.2+ compatible driver, defer to the driver documentation. See :ref:`field-level-encryption-drivers` for -a complete list of 4.2-compatible drivers with support for +a complete list of 4.2+ compatible drivers with support for client-side field level encryption. .. list-table:: diff --git a/source/reference/security-client-side-automatic-json-schema.txt b/source/reference/security-client-side-automatic-json-schema.txt index 467afcaaaf6..0b5ee2f3748 100644 --- a/source/reference/security-client-side-automatic-json-schema.txt +++ b/source/reference/security-client-side-automatic-json-schema.txt @@ -45,11 +45,11 @@ information (PII) that must be protected from unauthorized viewing on both the client *and* the server. The following automatic encryption rules for the ``hr.employees`` collection mark the ``taxid`` and ``taxid-short`` fields for automatic client-side field level encryption. -Official MongoDB 4.2-compatible :ref:`drivers -` and the 4.2 :binary:`~bin.mongo` shell -configured with these rules automatically encrypt the ``taxid`` -and ``taxid-short`` fields for write or read operations to the -``hr.employees`` collection. +Official MongoDB 4.2+ compatible :ref:`drivers +` and the 4.2 or later +:binary:`~bin.mongo` shell configured with these rules automatically +encrypt the ``taxid`` and ``taxid-short`` fields for write or read +operations to the ``hr.employees`` collection. .. code-block:: json :emphasize-lines: 5-9, 12-16 @@ -76,14 +76,14 @@ and ``taxid-short`` fields for write or read operations to the } } -- For the MongoDB 4.2 shell, use the :method:`Mongo` constructor +- For the MongoDB 4.2+ shell, use the :method:`Mongo` constructor to create the database connection with the automatic encryption rules included as part of the client-side field level encryption :ref:`configuration object `. See :ref:`mongo-connection-automatic-client-side-encryption-enabled` for an example. -- For the official MongoDB 4.2-compatible drivers, use the +- For the official MongoDB 4.2+ compatible drivers, use the driver-specific database connection constructor (e.g. ``MongoClient``) to create the database connection with the automatic encryption rules included as part of the client-side field level encryption @@ -250,7 +250,7 @@ and ``taxid-short`` fields for write or read operations to the If the specified data encryption key does not exist, automatic encryption fails. - Official MongoDB 4.2-compatible drivers have language-specific + Official MongoDB 4.2+ compatible drivers have language-specific requirements for specifying the UUID. Defer to the :ref:`driver documentation ` for complete documentation on implementing client-side field @@ -348,7 +348,7 @@ and ``taxid-short`` fields for write or read operations to the exist *or* if the client cannot decrypt the key with the specified KMS and CMK. - Official MongoDB 4.2-compatible drivers have language-specific + Official MongoDB 4.2+ compatible drivers have language-specific requirements for specifying the UUID. Defer to the :ref:`driver documentation ` for complete documentation on implementing client-side field @@ -485,18 +485,18 @@ encryption rules specified :autoencryptkeyword:`encrypt` or ``medicalRecords.additionalItems``, automatic field level encryption fails and returns an errors. -The official MongoDB 4.2-compatible drivers and the +The official MongoDB 4.2+ compatible drivers and the :binary:`~bin.mongo` shell require specifying the automatic encryption rules as part of creating the database connection object: -- For the MongoDB 4.2 shell, use the :method:`Mongo()` constructor - to create a database connection. Specify the automatic encryption - rules to the ``schemaMap`` key of the +- For the MongoDB 4.2 or later shell, use the :method:`Mongo()` + constructor to create a database connection. Specify the automatic + encryption rules to the ``schemaMap`` key of the :ref:`ClientSideFieldLevelEncryptionOptions` parameter. See :ref:`mongo-connection-automatic-client-side-encryption-enabled` for a complete example. -- For the official MongoDB 4.2-compatible drivers, use the +- For the official MongoDB 4.2+ compatible drivers, use the driver-specific database connection constructor (e.g. ``MongoClient``) to create the database connection with the automatic encryption rules included as part of the client-side field level encryption @@ -633,18 +633,18 @@ encryption rules specified :autoencryptkeyword:`encrypt` or ``medicalRecords.additionalItems``, automatic field level encryption fails and returns an errors. -The official MongoDB 4.2-compatible drivers and the +The official MongoDB 4.2+ compatible drivers and the :binary:`~bin.mongo` shell require specifying the automatic encryption rules as part of creating the database connection object: -- For the MongoDB 4.2 shell, use the :method:`Mongo()` constructor - to create a database connection. Specify the automatic encryption - rules to the ``schemaMap`` key of the +- For the MongoDB 4.2 or later shell, use the :method:`Mongo()` + constructor to create a database connection. Specify the automatic + encryption rules to the ``schemaMap`` key of the :ref:`ClientSideFieldLevelEncryptionOptions` parameter. See :ref:`mongo-connection-automatic-client-side-encryption-enabled` for a complete example. -- For the official MongoDB 4.2-compatible drivers, use the +- For the official MongoDB 4.2+ compatible drivers, use the driver-specific database connection constructor (e.g. ``MongoClient``) to create the database connection with the automatic encryption rules included as part of the client-side field level encryption diff --git a/source/reference/security-client-side-encryption-appendix.txt b/source/reference/security-client-side-encryption-appendix.txt index 68c3f9951a5..c05a8592001 100644 --- a/source/reference/security-client-side-encryption-appendix.txt +++ b/source/reference/security-client-side-encryption-appendix.txt @@ -15,7 +15,8 @@ Appendix ``mongocryptd`` is required for :ref:`automatic field level encryption ` and is included as a component in the :doc:`MongoDB Enterprise Server -` package. ``mongocryptd`` performs +` package, or separately as the +``mongodb-enterprise-cryptd`` package. ``mongocryptd`` performs the following: - Parses the :ref:`automatic encryption rules @@ -33,26 +34,37 @@ the following: :doc:`/reference/security-client-side-query-aggregation-support` for more information. -``mongocryptd`` is only responsible for supporting automatic -client-side field level encryption and does *not* perform encryption -or decryption. MongoDB 4.2-compatible drivers use the Apache-licensed -`libmongocrypt `__ -library for performing client-side field level encryption and -automatic decryption. +``mongocryptd`` is only responsible for the above functions, and does +not perform any of the following: -The official MongoDB 4.2-compatible drivers and the 4.2 +- ``mongocryptd`` *does not* perform encryption or decryption itself +- ``mongocryptd`` *does not* access any encryption key material +- ``mongocryptd`` *does not* listen over the network + +Drivers compatible with MongoDB 4.2 and later use the +Apache-licensed `libmongocrypt +`__ library for performing +client-side field level encryption and automatic decryption. + +The official MongoDB 4.2+ compatible drivers and the 4.2 or later :binary:`~bin.mongo` shell require access to the ``mongocryptd`` process -on the client host machine. The 4.2-compatible drivers and 4.2 -:binary:`~bin.mongo` shell by default search for the ``mongocryptd`` -process in the system PATH. See :ref:`mongocryptd-installation` for more +on the client host machine. The 4.2+ compatible drivers and 4.2 or later +:binary:`~bin.mongo` shell search for the ``mongocryptd`` process in the +system PATH by default. See :ref:`mongocryptd-installation` for the complete documentation on installing ``mongocryptd``. -If the 4.2-compatible driver has access to the ``mongocryptd`` process, +Usage +~~~~~ + +If the 4.2+ compatible driver has access to the ``mongocryptd`` process, by default the driver manages the spawning of the ``mongocryptd`` -process. The 4.2-compatible drivers may have additional options for +process. The 4.2+ compatible drivers may have additional options for specifying the path to or the spawning behavior of the ``mongocryptd`` process. +If possible, we recommend that ``mongocryptd`` be started on boot, +rather than launched on demand. + .. _mongocryptd-installation: Installation diff --git a/source/reference/security-client-side-encryption-limitations.txt b/source/reference/security-client-side-encryption-limitations.txt index 6354ce6ce72..a0be85aa96b 100644 --- a/source/reference/security-client-side-encryption-limitations.txt +++ b/source/reference/security-client-side-encryption-limitations.txt @@ -51,7 +51,7 @@ creating a view on a collection containing client-side field level encrypted values, avoid operating on encrypted fields to mitigate the risk of unexpected or incorrect results. -While 4.2-compatible drivers configured for automatic client-side field +While 4.2+ compatible drivers configured for automatic client-side field level encryption have :doc:`validation ` for unsupported read and write operations, the underlying support library @@ -75,7 +75,7 @@ collations or collection default :doc:`collations and prevents normal collation behavior. Collation-sensitive queries against encrypted fields may return unexpected or incorrect results. -While 4.2-compatible drivers configured for automatic client-side field +While 4.2+ compatible drivers configured for automatic client-side field level encryption have :doc:`validation ` for unsupported read and write operations, the underlying support library @@ -98,7 +98,7 @@ decrypted value itself is not unique. The collection can therefore contain multiple documents with duplicate decrypted values for a field with an index-enforced unique constraint. -While 4.2-compatible drivers configured for automatic client-side field +While 4.2+ compatible drivers configured for automatic client-side field level encryption have :doc:`validation ` for unsupported read and write operations, the underlying support library @@ -114,7 +114,7 @@ Specifying a :ref:`shard key ` on encrypted fields *or* encrypting fields of an existing shard key may result in unexpected or incorrect sharding behavior. -While 4.2-compatible drivers configured for automatic client-side field +While 4.2+ compatible drivers configured for automatic client-side field level encryption have :doc:`validation ` for unsupported read and write operations, the underlying support library diff --git a/source/reference/security-client-side-query-aggregation-support.txt b/source/reference/security-client-side-query-aggregation-support.txt index 4454d4f8f37..afa7fd045b1 100644 --- a/source/reference/security-client-side-query-aggregation-support.txt +++ b/source/reference/security-client-side-query-aggregation-support.txt @@ -16,7 +16,7 @@ Read/Write Support with Automatic Field Level Encryption This page documents the specific commands, query operators, update operators, aggregation stages, and aggregation expressions supported by -4.2-compatible drivers configured for automatic client-side field level +4.2+ compatible drivers configured for automatic client-side field level encryption. MongoDB stores client-side field level encrypted fields as a @@ -26,7 +26,7 @@ behavior as compared to issuing that same operation against the decrypted value. Certain operations have strict BSON type support where issuing them against a ``BinData`` value returns an error. -- Official 4.2-compatible drivers using automatic client-side field +- Official 4.2+ compatible drivers using automatic client-side field level encryption parse read/write operations for operators or expressions that do not support ``BinData`` values *or* that have abnormal behavior when issued against ``BinData`` values. @@ -40,7 +40,7 @@ where issuing them against a ``BinData`` value returns an error. Supported Read and Write Commands --------------------------------- -Official MongoDB 4.2-compatible drivers support +Official MongoDB 4.2+ compatible drivers support :ref:`automatic client-side field level encryption ` with the following commands: @@ -54,7 +54,7 @@ Official MongoDB 4.2-compatible drivers support - :dbcommand:`insert` - :dbcommand:`update` -For any supported command, 4.2-compatible drivers return an error +For any supported command, 4.2+ compatible drivers return an error if the command uses an unsupported operator, aggregation stage, or aggregation expression: @@ -64,7 +64,7 @@ aggregation expression: - :ref:`Supported Aggregation Stages ` The following commands do not require automatic encryption. Official -MongoDB 4.2-compatible drivers configured for automatic client-side +MongoDB 4.2+ compatible drivers configured for automatic client-side field level encryption pass these commands directly to the :binary:`~bin.mongod`: @@ -90,7 +90,7 @@ field level encryption pass these commands directly to the - :dbcommand:`ping` Issuing any other :ref:`command ` through a -4.2-compatible driver configured for automatic client-side field level +4.2+ compatible driver configured for automatic client-side field level encryption returns an error. .. [#] @@ -109,7 +109,7 @@ encryption returns an error. Supported Query Operators ------------------------- -Official 4.2-compatible drivers configured for automatic client-side +Official 4.2+ compatible drivers configured for automatic client-side field level encryption allow the following query operators when issued against :ref:`deterministically ` encrypted fields: @@ -147,7 +147,7 @@ against an encrypted field: Supported Update Operators -------------------------- -Official 4.2-compatible drivers configured for automatic client-side +Official 4.2+ compatible drivers configured for automatic client-side field level encryption allow the following update operators when issued against :ref:`deterministically ` encrypted fields: @@ -182,7 +182,7 @@ filter must use only :ref:`supported operators Unsupported Insert Operations ----------------------------- -Official MongoDB 4.2-compatible drivers configured for :ref:`automatic +Official MongoDB 4.2+ compatible drivers configured for :ref:`automatic client-side field level encryption ` do *not* support insert commands with the following behavior: @@ -208,7 +208,7 @@ do *not* support insert commands with the following behavior: Supported Aggregation Stages ---------------------------- -Official MongoDB 4.2-compatible drivers configured for +Official MongoDB 4.2+ compatible drivers configured for :ref:`automatic client-side field level encryption ` support the following aggregation pipeline stages: @@ -278,7 +278,7 @@ reference a different ``from`` collection return an error. Supported Aggregation Expressions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Official 4.2-compatible drivers configured for automatic client-side +Official 4.2+ compatible drivers configured for automatic client-side field level encryption allow aggregation stages using the following expressions against :ref:`deterministically ` encrypted fields: @@ -406,7 +406,7 @@ Aggregation stages with the following behavior throw an error Unsupported Field Types ----------------------- -Official MongoDB 4.2-compatible drivers configured for +Official MongoDB 4.2+ compatible drivers configured for :ref:`automatic client-side field level encryption ` do *not* support any read or write operation that requires encrypting the following value types: diff --git a/source/release-notes/4.2-upgrade-replica-set.txt b/source/release-notes/4.2-upgrade-replica-set.txt index a2932ccf8fe..cab233cff2c 100644 --- a/source/release-notes/4.2-upgrade-replica-set.txt +++ b/source/release-notes/4.2-upgrade-replica-set.txt @@ -36,7 +36,7 @@ cluster with a three-member PSA shards. .. include:: /includes/extracts/changestream-disable-rc-majority.rst When upgraded to 4.2 with read concern "majority" disabled, you can - use change stream for your deployment. + use change streams for your deployment. For more information, see :ref:`disable-read-concern-majority`. @@ -159,7 +159,7 @@ Post Upgrade ``TLS`` Options Replace Deprecated ``SSL`` Options .. include:: /includes/extracts/4.2-changes-options-tls-ssl-upgrade.rst -4.2-Compatible Drivers Retry Writes by Default +4.2+ compatible Drivers Retry Writes by Default .. include:: /includes/extracts/4.2-changes-drivers-retryWrites-default.rst Additional Upgrade Procedures diff --git a/source/release-notes/4.2-upgrade-sharded-cluster.txt b/source/release-notes/4.2-upgrade-sharded-cluster.txt index 891196dec79..dc1d2f70b92 100644 --- a/source/release-notes/4.2-upgrade-sharded-cluster.txt +++ b/source/release-notes/4.2-upgrade-sharded-cluster.txt @@ -197,7 +197,7 @@ Post Upgrade ``TLS`` Options Replace Deprecated ``SSL`` Options .. include:: /includes/extracts/4.2-changes-options-tls-ssl-upgrade.rst -4.2-Compatible Drivers Retry Writes by Default +4.2+ compatible Drivers Retry Writes by Default .. include:: /includes/extracts/4.2-changes-drivers-retryWrites-default.rst PowerPC and Hashed Index Value of 2\ :sup:`63` diff --git a/source/release-notes/4.2-upgrade-standalone.txt b/source/release-notes/4.2-upgrade-standalone.txt index 114ee2f2e5f..f94cce39b8b 100644 --- a/source/release-notes/4.2-upgrade-standalone.txt +++ b/source/release-notes/4.2-upgrade-standalone.txt @@ -97,7 +97,7 @@ Post Upgrade ``TLS`` Options Replace Deprecated ``SSL`` Options .. include:: /includes/extracts/4.2-changes-options-tls-ssl-upgrade.rst -4.2-Compatible Drivers Retry Writes by Default +4.2+ compatible Drivers Retry Writes by Default .. include:: /includes/extracts/4.2-changes-drivers-retryWrites-default.rst diff --git a/source/release-notes/4.2.txt b/source/release-notes/4.2.txt index 1858822c8d7..a77ff34f86e 100644 --- a/source/release-notes/4.2.txt +++ b/source/release-notes/4.2.txt @@ -540,16 +540,17 @@ The following drivers are feature compatible [#fle]_ with MongoDB 4.2: .. [#fle] - For a complete list of official 4.2-compatible drivers with + For a complete list of official 4.2+ compatible drivers with support for Client-Side Field Level Encryption, see :ref:`field-level-encryption-drivers`. Retryable Reads ~~~~~~~~~~~~~~~ -Retryable reads allow MongoDB 4.2-compatible drivers to automatically retry certain -read operations a single time if they encounter certain network or -server errors. See :ref:`retryable-reads` for more information. +Retryable reads allow MongoDB 4.2+ compatible drivers to automatically +retry certain read operations a single time if they encounter certain +network or server errors. See :ref:`retryable-reads` for more +information. Sharded Clusters ---------------- @@ -754,7 +755,7 @@ For more information, see :ref:`encrypted storage engine Client-Side Field Level Encryption ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The official :ref:`MongoDB 4.2-compatible drivers +The official :ref:`MongoDB 4.2+ compatible drivers ` provide a client-side field level encryption framework. Applications can encrypt fields in documents *prior* to transmitting data over the wire to the server. Only @@ -762,17 +763,17 @@ applications with access to the correct encryption keys can decrypt and read the protected data. Deleting an encryption key renders all data encrypted with that key as permanently unreadable. -For a complete list of official 4.2-compatible drivers with support +For a complete list of official 4.2+ compatible drivers with support for client-side field level encryption, see :ref:`field-level-encryption-drivers`. For an end-to-end procedure for configuring field level encryption using -select MongoDB 4.2-compatible drivers, see the -:ecosystem:`Client Side Field Level Encryption Guide -`. +select MongoDB 4.2+ compatible drivers, see the +:driver:`Client Side Field Level Encryption Guide +`. Explicit (manual) encryption of fields - Official MongoDB 4.2-compatible drivers and the MongoDB 4.2 + Official MongoDB 4.2+ compatible drivers and the MongoDB 4.2 or later :binary:`~bin.mongo` shell support explicitly encrypting or decrypting fields with a specific data encryption key and encryption algorithm. @@ -788,7 +789,7 @@ Explicit (manual) encryption of fields Automatic encryption of fields .. include:: /includes/extracts/csfle-enterprise-atlas-only.rst - Official MongoDB 4.2-compatible drivers and the MongoDB 4.2 + Official MongoDB 4.2+ compatible drivers and the MongoDB 4.2 or later :binary:`~bin.mongo` shell support automatically encrypting fields in read and write operations.