Description:
With this change, mongosh surfaces the createEncryptedCollection helper on both Database and ClientEncryption instances. The createEncryptedCollection helper will create a collection with encrypted fields, automatically allocating and assigning new data encryption keys. It returns a handle to the new collection, as well as a list of the generated "encryptedFields".
Once a connection is established with relevant Queryable encryption options, the helper can be accessed directly on the Database instance `db` or using the ClientEncryption instance `db.getClientEncryption()`.
Signatures:
1. db.createEncryptedCollection(collname, collectionOptions)
2. db.getMongo().getClientEncryption(databasename, collname, collectionOptions)
// Note-1: unlike the option 1, in option 2 we need to provide the name of the database
// Note-2: collectionOptions must include provider and createCollectionOptions keys.
Example:
const keyVaultNamespace = "keyvault.namespace";
const kmsProviderName = "valid-kms-provider-string" // local, aws, etc;
const secureClient = Mongo("uri", {
keyVaultNamespace: keyVaultNamespace,
kmsProviders: { [kmsProvider]:
{ ...kmsProvideroptions }
}
});
const secureDB = secureClient.getDB("some-database");
// Using Database instance
secureDB.createEncryptedCollection("some-collection", {
provider: kmsProviderName, // required
createCollectionOptions: { // required
encryptedFields: {
fields: [
{
path: "field-name",
bsonType: "valid-bson-type",
keyId: null
}
]
}
},
masterKey:
{ // optional, needed only if kms provider is Azure, GCP or AWS
...
}
});
// or using ClientEncryption instance
secureClient.getClientEncryption().createEncryptedCollection("some-database", "some-collection", {
provider: kmsProviderName, // required
createCollectionOptions: { // required
encryptedFields: {
fields:
[{
path: "field-name",
bsonType: "valid-bson-type",
keyId: null
}]
}
},
masterKey: { // optional, needed only if kms provider is Azure, GCP or AWS
...
}
});
Required Changes:
1. https://www.mongodb.com/docs/manual/reference/method/#database : This page should add Database.createEncryptedCollection method to the list.
2. https://www.mongodb.com/docs/mongodb-shell/reference/methods/#database-methods : This page should add Database.createEncryptedCollection method to the list.
3. Database.createEncryptedCollection accepts two parameters
- first is the name of the collection
- second is collection creation options which is similar to Database.createCollection options but should definitely include two keys
- provider: the name of the kms provider
- createCollectionOptions: an object that should contain a list of fields to be encrypted under the path "encryptedFields.fields"
- masterKey: An optional object specifying how to get the master key when kms provider is either AWS, GCP or Azure
4. https://www.mongodb.com/docs/manual/reference/method/#client-side-field-level-encryption : This page should add ClientEncryption.createEncryptedCollection method
5. https://www.mongodb.com/docs/mongodb-shell/reference/methods/#client-side-field-level-encryption-methods : This page should add ClientEncryption.createEncryptedCollection method
6. ClientEncryption.createEncryptedCollection accepts three parameters
- first is the name of the database
- second is the name of the collection
- third is collection creation options which is similar to Database.createCollection options but should definitely include two keys
- provider: the name of the kms provider
- createCollectionOptions: an object that should contain a list of fields to be encrypted under the path "encryptedFields.fields"
- masterKey: An optional object specifying how to get the master key when kms provider is either AWS, GCP or Azure