Class: Mongo::ClientEncryption

Inherits:

Object

• Object
• Mongo::ClientEncryption

Defined in:

build/ruby-driver-master/lib/mongo/client_encryption.rb

Overview

ClientEncryption encapsulates explicit operations on a key vault collection that cannot be done directly on a MongoClient. It provides an API for explicitly encrypting and decrypting values, and creating data keys.

Instance Method Summary

• #create_data_key(kms_provider, options = {}) ⇒ BSON::Binary

  Generates a data key used for encryption/decryption and stores that key in the KMS collection.

• #decrypt(value) ⇒ Object

  Decrypts a value that has already been encrypted.

• #encrypt(value, options = {}) ⇒ BSON::Binary

  Encrypts a value using the specified encryption key and algorithm.

• #initialize(key_vault_client, options = {}) ⇒ ClientEncryption constructor

  Create a new ClientEncryption object with the provided options.

Constructor Details

#initialize(key_vault_client, options = {}) ⇒ ClientEncryption

Create a new ClientEncryption object with the provided options.

Parameters:

• key_vault_client (Mongo::Client) —

  A Mongo::Client that is connected to the MongoDB instance where the key vault collection is stored.

• options (Hash) (defaults to: {}) —

  The ClientEncryption options.

Options Hash (options):

• :key_vault_namespace (String) —

  The name of the key vault collection in the format “database.collection”.

• :kms_providers (Hash) —

  A hash of key management service configuration information. @see Mongo::Crypt::KMS::Credentials for list of options for every supported provider. @note There may be more than one KMS provider specified.

• :kms_tls_options (Hash) —

  TLS options to connect to KMS providers. Keys of the hash should be KSM provider names; values should be hashes of TLS connection options. The options are equivalent to TLS connection options of Mongo::Client. @see Mongo::Client#initialize for list of TLS options.

Raises:

• (ArgumentError) —

  If required options are missing or incorrectly formatted.

# File 'build/ruby-driver-master/lib/mongo/client_encryption.rb', line 46

def initialize(key_vault_client, options={})
  @encrypter = Crypt::ExplicitEncrypter.new(
    key_vault_client,
    options[:key_vault_namespace],
    Crypt::KMS::Credentials.new(options[:kms_providers]),
    Crypt::KMS::Validations.validate_tls_options(options[:kms_tls_options])
  )
end

Instance Method Details

#create_data_key(kms_provider, options = {}) ⇒ BSON::Binary

Generates a data key used for encryption/decryption and stores that key in the KMS collection. The generated key is encrypted with the KMS master key.

Parameters:

• kms_provider (String) —

  The KMS provider to use. Valid values are “aws” and “local”.

• options (Hash) (defaults to: {})

Options Hash (options):

• :master_key (Hash) —

  Information about the AWS master key. Required if kms_provider is “aws”.

  • :region [ String ] The The AWS region of the master key (required).

  • :key [ String ] The Amazon Resource Name (ARN) of the master key (required).

  • :endpoint [ String ] An alternate host to send KMS requests to (optional). endpoint should be a host name with an optional port number separated by a colon (e.g. “kms.us-east-1.amazonaws.com” or “kms.us-east-1.amazonaws.com:443”). An endpoint in any other format will not be properly parsed.

• :key_alt_names (Array<String>) —

  An optional array of strings specifying alternate names for the new data key.

Returns:

• (BSON::Binary) —

  The 16-byte UUID of the new data key as a BSON::Binary object with type :uuid.

# File 'build/ruby-driver-master/lib/mongo/client_encryption.rb', line 77

def create_data_key(kms_provider, options={})
  key_document = Crypt::KMS::MasterKeyDocument.new(kms_provider, options)
  key_alt_names = options[:key_alt_names]
  @encrypter.create_and_insert_data_key(key_document, key_alt_names)
end

#decrypt(value) ⇒ Object

Decrypts a value that has already been encrypted.

Parameters:

• value (BSON::Binary) —

  A BSON Binary object of subtype 6 (ciphertext) that will be decrypted.

Returns:

• (Object) —

  The decrypted value.

# File 'build/ruby-driver-master/lib/mongo/client_encryption.rb', line 112

def decrypt(value)
  @encrypter.decrypt(value)
end

#encrypt(value, options = {}) ⇒ BSON::Binary

Note:

The :key_id and :key_alt_name options are mutually exclusive. Only one is required to perform explicit encryption.

Encrypts a value using the specified encryption key and algorithm.

Parameters:

• value (Object) —

  The value to encrypt.

• options (Hash) (defaults to: {})

Options Hash (options):

• :key_id (BSON::Binary) —

  A BSON::Binary object of type :uuid representing the UUID of the encryption key as it is stored in the key vault collection.

• :key_alt_name (String) —

  The alternate name for the encryption key.

• :algorithm (String) —

  The algorithm used to encrypt the value. Valid algorithms are “AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic” or “AEAD_AES_256_CBC_HMAC_SHA_512-Random”.

Returns:

• (BSON::Binary) —

  A BSON Binary object of subtype 6 (ciphertext) representing the encrypted value.

# File 'build/ruby-driver-master/lib/mongo/client_encryption.rb', line 102

def encrypt(value, options={})
  @encrypter.encrypt(value, options)
end