Docs Menu
Docs Home
MongoDB Manual
/ / /


On this page

  • Behavior
  • Example

Gets all data encryption keys with the specified keyAltName.

getKeyByAltName() has the following syntax:

keyVault = db.getMongo().getKeyVault()
Returns:Document representing a matching data encryption key.

If no matching data encryption key is found, KeyVault.getKeyByAltName() returns an object containing a hint that no key was found.

The mongosh client-side field level encryption methods require a database connection with client-side field level encryption enabled. If the current database connection was not initiated with client-side field level encryption enabled, either:

  • Use the Mongo() constructor from the mongosh to establish a connection with the required client-side field level encryption options. The Mongo() method supports the following Key Management Service (KMS) providers for Customer Master Key (CMK) management:


  • Use the mongosh command line options to establish a connection with the required options. The command line options only support the Amazon Web Services KMS provider for CMK management.

The following example uses a locally managed KMS for the client-side field level encryption configuration.

To configure client-side field level encryption for a locally managed key:

  • generate a base64-encoded 96-byte string with no line breaks

  • use mongosh to load the key

export TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")
mongosh --nodb

Create the client-side field level encryption object using the generated local key string:

var autoEncryptionOpts = {
"keyVaultNamespace" : "encryption.__dataKeys",
"kmsProviders" : {
"local" : {
"key" : BinData(0, process.env["TEST_LOCAL_KEY"])

Use the Mongo() constructor with the client-side field level encryption options configured to create a database connection. Replace the mongodb:// URI with the connection string URI of the target cluster.

encryptedClient = Mongo(

Retrieve the KeyVault object and use the KeyVault.getKeyByAltName() method to retrieve the data encryption key whose keyAltNames array includes the specified key alternate name:


getKeyByAltName() returns the following data encryption key:

"_id" : UUID("b4b41b33-5c97-412e-a02b-743498346079"),
"keyMaterial" : BinData(0,"PXRsLOAYxhzTS/mFQAI8486da7BwZgqA91UI7NKz/T/AjB0uJZxTvhvmQQsKbCJYsWVS/cp5Rqy/FUX2zZwxJOJmI3rosPhzV0OI5y1cuXhAlLWlj03CnTcOSRzE/YIrsCjMB0/NyiZ7MRWUYzLAEQnE30d947XCiiHIb8a0kt2SD0so8vZvSuP2n0Vtz4NYqnzF0CkhZSWFa2e2yA=="),
"creationDate" : ISODate("2019-08-12T21:21:30.569Z"),
"updateDate" : ISODate("2019-08-12T21:21:30.569Z"),
"status" : 0,
"version" : NumberLong(0),
"masterKey" : {
"provider" : "local"
"keyAltNames" : [





On this page