Class ClientEncryptionSettings
Explicit encryption/decryption is a community feature, enabled with the new com.mongodb.client.vault.ClientEncryption type,
for which this is the settings.
- Since:
- 3.11
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic final classA builder forClientEncryptionSettingsso thatClientEncryptionSettingscan be immutable, and to support easier construction through chaining. -
Method Summary
Modifier and TypeMethodDescriptionbuilder()Convenience method to create a Builder.Gets the key vault settings.Gets the key vault namespace.This method is similar togetKmsProviders(), but instead of getting properties for KMS providers, it getsSuppliers of properties.Gets the map of KMS provider properties.Gets the KMS provider to SSLContext map.
-
Method Details
-
builder
Convenience method to create a Builder.- Returns:
- a builder
-
getKeyVaultMongoClientSettings
Gets the key vault settings.The key vault collection is assumed to reside on the same MongoDB cluster as indicated by the connecting URI. But the optional keyVaultMongoClientSettings can be used to route data key queries to a separate MongoDB cluster, or the same cluster but with a different credential.
- Returns:
- the key vault settings, which may be null to indicate that the same
MongoClientshould be used to access the key vault collection as is used for the rest of the application.
-
getKeyVaultNamespace
Gets the key vault namespace.The key vault namespace refers to a collection that contains all data keys used for encryption and decryption (aka the key vault collection). Data keys are stored as documents in a special MongoDB collection. Data keys are protected with encryption by a KMS provider (AWS, Azure, GCP KMS or a local master key).
- Returns:
- the key vault namespace, which may not be null
-
getKmsProviders
Gets the map of KMS provider properties.Multiple KMS providers may be specified. The following KMS providers are supported: "aws", "azure", "gcp" and "local". The kmsProviders map values differ by provider:
For "aws", the properties are:
- accessKeyId: a String, the AWS access key identifier
- secretAccessKey: a String, the AWS secret access key
- sessionToken: an optional String, the AWS session token
For "azure", the properties are:
- tenantId: a String, the tenantId that identifies the organization for the account.
- clientId: a String, the clientId to authenticate a registered application.
- clientSecret: a String, the client secret to authenticate a registered application.
- identityPlatformEndpoint: optional String, a host with optional port. e.g. "example.com" or "example.com:443". Generally used for private Azure instances.
For "gcp", the properties are:
- email: a String, the service account email to authenticate.
- privateKey: a String or byte[], the encoded PKCS#8 encrypted key
- endpoint: optional String, a host with optional port. e.g. "example.com" or "example.com:443".
For "kmip", the properties are:
- endpoint: a String, the endpoint as a host with required port. e.g. "example.com:443".
For "local", the properties are:
- key: byte[] of length 96, the local key
It is also permitted for the value of a kms provider to be an empty map, in which case the driver will first
- use the
Supplierconfigured ingetKmsProviderPropertySuppliers()to obtain a non-empty map - attempt to obtain the properties from the environment
- Returns:
- map of KMS provider properties
- See Also:
-
getKmsProviderPropertySuppliers
This method is similar togetKmsProviders(), but instead of getting properties for KMS providers, it getsSuppliers of properties.If
getKmsProviders()returns empty properties for a KMS provider, the driver will use aSupplierof properties configured for the KMS provider to obtain non-empty properties. -
getKmsProviderSslContextMap
Gets the KMS provider to SSLContext map.If a KMS provider is mapped to a non-null
SSLContext, the context will be used to establish a TLS connection to the KMS. Otherwise, the default context will be used.- Returns:
- the KMS provider to SSLContext map
- Since:
- 4.4
-