Docs Menu
Docs Home
/ /
Tutorials
Docs Home
/ /
Client-Side Field Level Encryption
/
Tutorials
Docs Home
/
Development
/
In-Use Encryption
/
Client-Side Field Level Encryption
/
Tutorials

Use Automatic Client-Side Field Level Encryption with Azure

Overview

This guide shows you how to build a Client-Side Field Level Encryption (CSFLE)-enabled application using Azure Key Vault.

After you complete the steps in this guide, you should have:

  • A Customer Master Key hosted on an Azure Key Vault instance.

  • A working client application that inserts documents with encrypted fields using your Customer Master Key.

Before You Get Started

To complete and run the code in this guide, you need to set up your development environment as shown in the Installation Requirements page.

Throughout this guide, code examples use placeholder text. Before you run the examples, substitute your own values for these placeholders.

For example:

dek_id := "<Your Base64 DEK ID>"

You would replace everything between quotes with your DEK ID.

dek_id := "abc123"

Select the programming language for which you want to see code examples for from the Select your language dropdown menu on the right side of the page.

Full Application Code

To see the complete code for the sample application, select your programming language in the language selector.

Set Up the KMS

1

Register your Application with Azure

  1. Log in to Azure.

  2. Register your Application with Azure Active Directory

    To register an application on Azure Active Directory, follow Microsoft's official Register an application with the Microsoft identity platform Quick Start.

    Important

    Record your Credentials

    Ensure you record the following credentials:

    • Tenant ID

    • Client ID

    • Client secret

    You will need them to construct your kmsProviders object later in this tutorial.

2

Create the Customer Master Key

  1. Create your Azure Key Vault and Customer Master Key

    To create a new Azure Key Vault instance and Customer Master Key, follow Microsoft's official Set and retrieve a key from Azure Key Vault using the Azure portal Quick Start.

    Note

    The Customer Master Key should have an RSA key size of 2048 or 4096 bits.

    Important

    Record your Credentials

    Ensure you record the following credentials:

    • Key Name

    • Key Identifier (referred to as keyVaultEndpoint later in this guide)

    • Key Version

    You will need them to construct your dataKeyOpts object later in this tutorial.

  2. Grant Permissions

Create the Application

Learn More

To learn how CSFLE works, see CSFLE Fundamentals.

To learn more about the topics mentioned in this guide, see the following links:

Back

Use Automatic Client-Side Field Level Encryption with AWS

Next

Use Automatic Client-Side Field Level Encryption with GCP

On this page