Package com.mongodb

Class ClientEncryptionSettings


public final class ClientEncryptionSettings extends Object
The client-side settings for data key creation and explicit encryption.

Explicit encryption/decryption is a community feature, enabled with the new com.mongodb.client.vault.ClientEncryption type, for which this is the settings.

  • Method Details

    • builder

      public static ClientEncryptionSettings.Builder builder()
      Convenience method to create a Builder.
      a builder
    • getKeyVaultMongoClientSettings

      public MongoClientSettings getKeyVaultMongoClientSettings()
      Gets the MongoClientSettings that will be used to access the key vault.
      the key vault settings, which may be not be null
    • getKeyVaultNamespace

      public String getKeyVaultNamespace()
      Gets the key vault namespace.

      The key vault namespace refers to a collection that contains all data keys used for encryption and decryption (aka the key vault collection). Data keys are stored as documents in a special MongoDB collection. Data keys are protected with encryption by a KMS provider (AWS, Azure, GCP KMS or a local master key).

      the key vault namespace, which may not be null
    • getKmsProviders

      public Map<String,Map<String,Object>> getKmsProviders()
      Gets the map of KMS provider properties.

      Multiple KMS providers may be specified. The following KMS providers are supported: "aws", "azure", "gcp" and "local". The kmsProviders map values differ by provider:

      For "aws", the properties are:

      • accessKeyId: a String, the AWS access key identifier
      • secretAccessKey: a String, the AWS secret access key
      • sessionToken: an optional String, the AWS session token

      For "azure", the properties are:

      • tenantId: a String, the tenantId that identifies the organization for the account.
      • clientId: a String, the clientId to authenticate a registered application.
      • clientSecret: a String, the client secret to authenticate a registered application.
      • identityPlatformEndpoint: optional String, a host with optional port. e.g. "" or "". Generally used for private Azure instances.

      For "gcp", the properties are:

      • email: a String, the service account email to authenticate.
      • privateKey: a String or byte[], the encoded PKCS#8 encrypted key
      • endpoint: optional String, a host with optional port. e.g. "" or "".

      For "kmip", the properties are:

      • endpoint: a String, the endpoint as a host with required port. e.g. "".

      For "local", the properties are:

      • key: byte[] of length 96, the local key

      It is also permitted for the value of a kms provider to be an empty map, in which case the driver will first

      map of KMS provider properties
      See Also:
    • getKmsProviderPropertySuppliers

      public Map<String,Supplier<Map<String,Object>>> getKmsProviderPropertySuppliers()
      This method is similar to getKmsProviders(), but instead of getting properties for KMS providers, it gets Suppliers of properties.

      If getKmsProviders() returns empty properties for a KMS provider, the driver will use a Supplier of properties configured for the KMS provider to obtain non-empty properties.

      A Map where keys identify KMS providers, and values specify Suppliers of properties for the KMS providers.
    • getKmsProviderSslContextMap

      public Map<String,SSLContext> getKmsProviderSslContextMap()
      Gets the KMS provider to SSLContext map.

      If a KMS provider is mapped to a non-null SSLContext, the context will be used to establish a TLS connection to the KMS. Otherwise, the default context will be used.

      the KMS provider to SSLContext map