An often brought up pain point in using the ClientEncryption api is the fact that finding a key from the keyvault collection will decode to a python native UUID that cannot be passed directly to ClientEncryption.encrypt (TypeError: key_id must be a bson.binary.Binary with subtype 4).

We made this design choice originally because pymongo has legacy UUID encoding/decoding behavior (which is separately being addressed in PYTHON-2152). However, since data keys documents always use the standard UUID subtype 4 it should be fine to accept native UUID in the encrypt API.

In other words, I think we can safely add this UUID to Binary conversion to save users some headache:

def encrypt(self, value, algorithm, key_id=None, key_alt_name=None):
...
        if isinstance(key_id, uuid.UUID):
            key_id = Binary(key_id.bytes, UUID_SUBTYPE)