Professional Documents
Culture Documents
Client Side Encryption
Client Side Encryption
Client Side Encryption
Client-Side Encryption
======================
.. default-domain:: mongodb
.. note::
The following examples use a local master key; however, other key providers
such as AWS KMS are also an option. This master key is used to encrypt data
keys that are stored locally. It is important that you keep this key secure.
.. code-block:: php
<?php
use MongoDB\BSON\Binary;
use MongoDB\Client;
use MongoDB\Driver\ClientEncryption;
$clientEncryptionOpts = [
'keyVaultNamespace' => 'encryption.__keyVault',
'kmsProviders' => [
'local' => ['key' => $localKey],
],
];
.. note::
.. code-block:: php
<?php
use MongoDB\BSON\Binary;
use MongoDB\Client;
use MongoDB\Driver\ClientEncryption;
$database = $client->selectDatabase('test');
$database->dropCollection('coll'); // remove old data
// This uses the key ID from the first example. The key ID could be read from
// a configuration file.
$keyId = readDataKey();
$database->createCollection('coll', [
'validator' => [
'$jsonSchema' => [
'bsonType' => 'object',
'properties' => [
'encryptedField' => [
'encrypt' => [
'keyId' => [$keyId],
'bsonType' => 'string',
'algorithm' =>
ClientEncryption::AEAD_AES_256_CBC_HMAC_SHA_512_DETERMINISTIC,
],
],
],
],
],
]);
$encryptedClient = new Client('mongodb://127.0.0.1', [], ['autoEncryption' =>
$encryptionOpts]);
var_dump($collection->findOne([]));
.. note::
.. code-block:: php
<?php
use MongoDB\BSON\Binary;
use MongoDB\Client;
use MongoDB\Driver\ClientEncryption;
// This uses the key ID from the first example. The key ID could be read from
// a configuration file.
$keyId = readDataKey();
$autoEncryptionOpts = [
'keyVaultNamespace' => 'encryption.__keyVault',
'kmsProviders' => [
'local' => ['key' => $localKey],
],
'schemaMap' => [
'test.coll' => [
'bsonType' => 'object',
'properties' => [
'encryptedField' => [
'encrypt' => [
'keyId' => [$keyId],
'bsonType' => 'string',
'algorithm' =>
ClientEncryption::AEAD_AES_256_CBC_HMAC_SHA_512_DETERMINISTIC,
],
],
],
],
],
];
var_dump($collection->findOne([]));
In the MongoDB Community Edition, you will have to manually encrypt values
before storing them in the database. The following example assumes that you have
already created an encryption key in the key vault collection and explicitly
encrypts and decrypts values in the document.
.. code-block:: php
<?php
use MongoDB\BSON\Binary;
use MongoDB\Client;
use MongoDB\Driver\ClientEncryption;
$clientEncryptionOpts = [
'keyVaultNamespace' => 'encryption.__keyVault',
'kmsProviders' => [
'local' => ['key' => $localKey],
],
];
// This uses the key ID from the first example. The key ID could be read from
// a configuration file.
$keyId = readDataKey();
$encryptionOpts = [
'keyId' => $keyId,
'algorithm' =>
ClientEncryption::AEAD_AES_256_CBC_HMAC_SHA_512_DETERMINISTIC,
];
$encryptedValue = $clientEncryption->encrypt('123456789', $encryptionOpts);
$document = $collection->findOne();
var_dump($clientEncryption->decrypt($document->encryptedField));
Referencing Encryption Keys by an Alternative Name
--------------------------------------------------
.. code-block:: php
<?php
use MongoDB\BSON\Binary;
use MongoDB\Client;
use MongoDB\Driver\ClientEncryption;
$clientEncryptionOpts = [
'keyVaultNamespace' => 'encryption.__keyVault',
'kmsProviders' => [
'local' => ['key' => $localKey],
],
];
$document = $collection->findOne();
var_dump($clientEncryption->decrypt($document->encryptedField));
.. note::
Automatic queryable encryption is an enterprise only feature and requires
MongoDB 6.0+.
The following example uses a local key; however, other key providers such as AWS
are also an option. The data in the ``encryptedIndexed`` and
``encryptedUnindexed`` fields will be automatically encrypted on insertion and
decrypted when querying on the client side. Additionally, it is possible to
query on the ``encryptedIndexed`` field.
.. code-block:: php
<?php
use MongoDB\BSON\Binary;
use MongoDB\Client;
$encryptionOpts = [
'keyVaultNamespace' => 'encryption.__keyVault',
'kmsProviders' => ['local' => ['key' => $localKey]],
];
$autoEncryptionOpts = [
'keyVaultNamespace' => 'encryption.__keyVault',
'kmsProviders' => ['local' => ['key' => $localKey]],
'encryptedFieldsMap' => [
'test.coll' => [
'fields' => [
[
'path' => 'encryptedIndexed',
'bsonType' => 'string',
'keyId' => $dataKeyId1,
'queries' => ['queryType' => 'equality'],
],
[
'path' => 'encryptedUnindexed',
'bsonType' => 'string',
'keyId' => $dataKeyId2,
],
],
],
],
];
/* Drop and create the collection under test. The createCollection() helper
* will reference the client's encryptedFieldsMap and create additional,
* internal collections automatically. */
$encryptedClient->selectDatabase('test')->dropCollection('coll');
$encryptedClient->selectDatabase('test')->createCollection('coll');
$encryptedCollection = $encryptedClient->selectCollection('test', 'coll');
$encryptedCollection->insertOne([
'_id' => 1,
'encryptedIndexed' => $indexedValue,
'encryptedUnindexed' => $unindexedValue,
]);
/* Using a client without auto encryption, query for the same document and
* assert that encrypted data is returned. The encryptedIndexed and
* encryptedUnindexed fields should both be Binary objects. */
$unencryptedCollection = $client->selectCollection('test', 'coll');