-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
This is to support explicitly encrypting any BSON value or explicitly decrypting a BSON binary subtype 6 value.
For client code that does this:
keyvault.encrypt("some value", { key_id: BinData(...), algorithm: "..." } )
The driver should use libmongocrypt to encrypt "some value". We can reuse the mongocrypt_ctx_t type. I'm roughly thinking of:
mongocrypt_ctx_setopt_key_id (mongocrypt_ctx_t *ctx, mongocrypt_binary_t *key_id); mongocrypt_ctx_setopt_key_algorithm (mongocrypt_ctx_t *ctx, const char* algorithm, uint32_t algorithm_len); mongocrypt_ctx_setopt_key_initialization_vector (mongocrypt_ctx_t *ctx, const char* iv, uint32_t iv_len); mongocrypt_ctx_init_explicit_encrypt (mongocrypt_ctx_t *ctx, mongocrypt_buffer_t *wrapped_value);
Then the context can be used the same way as auto encryption.
Drivers will likely need to wrap the BSON value to encrypt in a document. So in the above example, wrapped_value would represent the document
{ "v": "some value" }.
- is depended on by
-
JAVA-3226 POC - Support Client-side FLE
- Closed