Docs Home → Develop Applications → MongoDB Manual
Use Automatic Client-Side Field Level Encryption with AWS
On this page
- Overview
- Before You Get Started
- Set Up the KMS
- Create the Customer Master Key
- Create an AWS IAM User
- Create the Application
- Create a Unique Index on your Key Vault collection
- Create a New Data Encryption Key
- Configure the MongoClient
- Insert a Document with Encrypted Fields
- Retrieve Your Document with Encrypted Fields
- Learn More
Overview
This guide shows you how to build a Client-Side Field Level Encryption (CSFLE)-enabled application using Amazon Web Services (AWS) KMS.
After you complete the steps in this guide, you should have:
A Customer Master Key hosted on an AWS KMS instance.
A working client application that inserts documents with encrypted fields using your Customer Master Key.
Before You Get Started
To complete and run the code in this guide, you need to set up your development environment as shown in the Installation Requirements page.
Throughout this guide, code examples use placeholder text. Before you run the examples, substitute your own values for these placeholders.
For example:
dek_id := "<Your Base64 DEK ID>"
You would replace everything between quotes with your DEK ID.
dek_id := "abc123"
Select the programming language for which you want to see code examples for from the Select your language dropdown menu on the right side of the page.
Tip
See: Full Application
To view the complete runnable application code for this tutorial, go to the following link:
Set Up the KMS
Create the Customer Master Key
Log in to your AWS Management Console.
Navigate to the AWS KMS Console.
Create your Customer Master Key
Create a new symmetric key by following the official AWS documentation on Creating symmetric KMS keys. The key you create is your Customer Master Key. Choose a name and description that helps you identify it; these fields do not affect the functionality or configuration of your CMK.
In the Usage Permissions step of the key generation process, apply the following default key policy that enables Identity and Access Management (IAM) policies to grant access to your Customer Master Key:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "<ARN of your AWS account principal>" }, "Action": "kms:*", "Resource": "*" } ] }
Important
Record the Amazon Resource Name (ARN) and Region of your Customer Master Key. You will use these in later steps of this guide.
Tip
Learn More
To learn more about your Customer Master Keys, see Keys and Key Vaults.
To learn more about key policies, see Key Policies in AWS KMS in the official AWS documentation.
Create an AWS IAM User
Navigate to the AWS IAM Console.
Create an IAM User
Create a new programmatic IAM user in the AWS management console by following the official AWS documentation on Adding a User. You will use this IAM user as a service account for your CSFLE-enabled application. Your application authenticates with AWS KMS using the IAM user to encrypt and decrypt your Data Encryption Keys (DEKs) with your Customer Master Key (CMK).
Important
Record your Credentials
Ensure you record the following IAM credentials in the final step of creating your IAM user:
access key ID
secret access key
You have one opportunity to record these credentials. If you do not record these credentials during this step, you must create another IAM user.
Grant Permissions
Grant your IAM user kms:Encrypt and kms:Decrypt permissions for
your remote master key.
Important
The new client IAM user should not have administrative permissions for the master key. To keep your data secure, follow the principle of least privilege.
The following inline policy allows an IAM user to encrypt and decrypt with the Customer Master Key with the least privileges possible:
Note
Remote Master Key ARN
The following policy requires the ARN of the key you generate in the Create the Master Key step of this guide.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["kms:Decrypt", "kms:Encrypt"], "Resource": "<the Amazon Resource Name (ARN) of your remote master key>" } ] }
To apply the preceding policy to your IAM user, follow the Adding IAM identity permissions guide in the AWS documentation.
Important
Authenticate with IAM Roles in Production
When deploying your CSFLE-enabled application to a production environment, authenticate your application by using an IAM role instead of an IAM user.
To learn more about IAM roles, see the following pages in the official AWS documentation:
Create the Application
Create a Unique Index on your Key Vault collection
Create a unique index on the keyAltNames field in your
encryption.__keyVault namespace.
Select the tab corresponding to your preferred MongoDB driver:
Create a New Data Encryption Key
Add your AWS KMS Credentials
Add the service account credentials to your CSFLE-enabled client code.
Add Your Key Information
Update the following code to specify your Customer Master Key:
Tip
You recorded your Customer Master Key's ARN and Region in the Create a Customer Master Key step of this guide.
Generate your Data Encryption Key
Generate your Data Encryption Key using the variables declared in step one of this tutorial.
Tip
Learn More
To view a diagram showing how your client application creates your Data Encryption Key when using an AWS KMS, see Architecture.
To learn more about the options for creating a Data Encryption Key encrypted with a Customer Master Key hosted in AWS KMS, see dataKeyOpts Object.
Tip
See: Complete Code
Configure the MongoClient
Tip
Follow the remaining steps in this tutorial in a separate file from the one created in the previous steps.
Specify the Key Vault Collection Namespace
Specify encryption.__keyVault as the Key Vault collection
namespace.
Specify your AWS Credentials
Specify the aws KMS provider and your IAM user
credentials:
Important
Reminder: Authenticate with IAM Roles in Production
To use an IAM role instead of an IAM user to authenticate your application, specify an empty object for your credentials in your KMS provider object. This instructs the driver to automatically retrieve the credentials from the environment:
Create an Encryption Schema For Your Collection
Tip
Add Your Data Encryption Key Base64 ID
Make sure to update the following code to include your Base64 DEK ID. You received this value in the Generate your Data Encryption Key step of this guide.
Specify the Location of the Automatic Encryption Shared Library
Note
Automatic Encryption Options
The automatic encryption options provide configuration information to the Automatic Encryption Shared Library, which modifies the application's behavior when accessing encrypted fields.
To learn more about the Automatic Encryption Shared Library, see the Automatic Encryption Shared Library for CSFLE page.
Create the MongoClient
Instantiate a MongoDB client object with the following automatic encryption settings that use the variables declared in the previous steps:
Insert a Document with Encrypted Fields
Use your CSFLE-enabled
MongoClient instance to insert a document with encrypted fields into the
medicalRecords.patients namespace using the following code
snippet:
When you insert a document, your CSFLE-enabled client encrypts the fields of your document such that it resembles the following:
{ "_id": { "$oid": "<_id of your document>" }, "name": "Jon Doe", "ssn": { "$binary": "<cipher-text>", "$type": "6" }, "bloodType": { "$binary": "<cipher-text>", "$type": "6" }, "medicalRecords": { "$binary": "<cipher-text>", "$type": "6" }, "insurance": { "provider": "MaestCare", "policyNumber": { "$binary": "<cipher-text>", "$type": "6" } } }
Tip
See: Complete Code
Retrieve Your Document with Encrypted Fields
Retrieve the document with encrypted fields you inserted in the Insert a Document with Encrypted Fields step of this guide.
To show the functionality of CSFLE, the following code snippet queries for your document with a client configured for automatic CSFLE as well as a client that is not configured for automatic CSFLE.
The output of the preceding code snippet should look like this:
Finding a document with regular (non-encrypted) client. { _id: new ObjectId("629a452e0861b3130887103a"), name: 'Jon Doe', ssn: new Binary(Buffer.from("0217482732d8014cdd9ffdd6e2966e5e7910c20697e5f4fa95710aafc9153f0a3dc769c8a132a604b468732ff1f4d8349ded3244b59cbfb41444a210f28b21ea1b6c737508d9d30e8baa30c1d8070c4d5e26", "hex"), 6), bloodType: new Binary(Buffer.from("0217482732d8014cdd9ffdd6e2966e5e79022e238536dfd8caadb4d7751ac940e0f195addd7e5c67b61022d02faa90283ab69e02303c7e4001d1996128428bf037dea8bbf59fbb20c583cbcff2bf3e2519b4", "hex"), 6), 'key-id': 'demo-data-key', medicalRecords: new Binary(Buffer.from("0217482732d8014cdd9ffdd6e2966e5e790405163a3207cff175455106f57eef14e5610c49a99bcbd14a7db9c5284e45e3ee30c149354015f941440bf54725d6492fb3b8704bc7c411cff6c868e4e13c58233c3d5ed9593eca4e4d027d76d3705b6d1f3b3c9e2ceee195fd944b553eb27eee69e5e67c338f146f8445995664980bf0", "hex"), 6), insurance: { policyNumber: new Binary(Buffer.from("0217482732d8014cdd9ffdd6e2966e5e79108decd85c05be3fec099e015f9d26d9234605dc959cc1a19b63072f7ffda99db38c7b487de0572a03b2139ac3ee163bcc40c8508f366ce92a5dd36e38b3c742f7", "hex"), 6), provider: 'MaestCare' } } Finding a document with encrypted client, searching on an encrypted field { _id: new ObjectId("629a452e0861b3130887103a"), name: 'Jon Doe', ssn: 241014209, bloodType: 'AB+', 'key-id': 'demo-data-key', medicalRecords: [ { weight: 180, bloodPressure: '120/80' } ], insurance: { policyNumber: 123142, provider: 'MaestCare' } }
Tip
See: Complete Code
Learn More
To learn how CSFLE works, see Fundamentals.
To learn more about the topics mentioned in this guide, see the following links:
Learn more about CSFLE components on the Reference page.
Learn how Customer Master Keys and Data Encryption Keys work on the Keys and Key Vaults page
See how KMS Providers manage your CSFLE keys on the CSFLE KMS Providers page.