Interface ClientEncryption
- All Superinterfaces:
AutoCloseable
,Closeable
The Key vault.
Used to create data encryption keys, and to explicitly encrypt and decrypt values when auto-encryption is not an option.
- Since:
- 1.12
-
Method Summary
Modifier and TypeMethodDescriptionaddKeyAltName
(BsonBinary id, String keyAltName) Adds a keyAltName to the keyAltNames array of the key document in the key vault collection with the given UUID.void
close()
createDataKey
(String kmsProvider) Create a data key with the given KMS provider.createDataKey
(String kmsProvider, DataKeyOptions dataKeyOptions) Create a data key with the given KMS provider and options.createEncryptedCollection
(MongoDatabase database, String collectionName, CreateCollectionOptions createCollectionOptions, CreateEncryptedCollectionParams createEncryptedCollectionParams) Create a new collection with encrypted fields, automatically creating new data encryption keys when needed based on the configuredencryptedFields
, which must be specified.decrypt
(BsonBinary value) Decrypt the given value.deleteKey
(BsonBinary id) Removes the key document with the given data key from the key vault collection.encrypt
(BsonValue value, EncryptOptions options) Encrypt the given value with the given options.encryptExpression
(Bson expression, EncryptOptions options) Encrypts a Match Expression or Aggregate Expression to query a range index.getKey
(BsonBinary id) Finds a single key document with the given UUID (BSON binary subtype 0x04).getKeyByAltName
(String keyAltName) Returns a key document in the key vault collection with the given keyAltName.getKeys()
Finds all documents in the key vault collection.removeKeyAltName
(BsonBinary id, String keyAltName) Removes a keyAltName from the keyAltNames array of the key document in the key vault collection with the given id.rewrapManyDataKey
(Bson filter) Decrypts multiple data keys and (re-)encrypts them with the current masterKey.rewrapManyDataKey
(Bson filter, RewrapManyDataKeyOptions options) Decrypts multiple data keys and (re-)encrypts them with a new masterKey, or with their current masterKey if a new one is not given.
-
Method Details
-
createDataKey
Create a data key with the given KMS provider.Creates a new key document and inserts into the key vault collection.
- Parameters:
kmsProvider
- the KMS provider- Returns:
- a Publisher containing the identifier for the created data key
-
createDataKey
Create a data key with the given KMS provider and options.Creates a new key document and inserts into the key vault collection.
- Parameters:
kmsProvider
- the KMS providerdataKeyOptions
- the options for data key creation- Returns:
- a Publisher containing the identifier for the created data key
-
encrypt
Encrypt the given value with the given options.The driver may throw an exception for prohibited BSON value types
- Parameters:
value
- the value to encryptoptions
- the options for data encryption- Returns:
- a Publisher containing the encrypted value, a BSON binary of subtype 6
-
encryptExpression
Encrypts a Match Expression or Aggregate Expression to query a range index.The expression is expected to be in one of the following forms:
- A Match Expression of this form:
{$and: [{<field>: {$gt: <value1>}}, {<field>: {$lt: <value2> }}]}
- An Aggregate Expression of this form:
{$and: [{$gt: [<fieldpath>, <value1>]}, {$lt: [<fieldpath>, <value2>]}] }
$gt
may also be$gte
.$lt
may also be$lte
.Only supported when queryType is "range" and algorithm is "Range".
- Parameters:
expression
- the Match Expression or Aggregate Expressionoptions
- the options- Returns:
- a Publisher containing the queryable encrypted range expression
- Since:
- 4.9
- MongoDB documentation
- queryable encryption
- $match
- Since server release
- 8.0
- A Match Expression of this form:
-
decrypt
Decrypt the given value.- Parameters:
value
- the value to decrypt, which must be of subtype 6- Returns:
- a Publisher containing the decrypted value
-
deleteKey
Removes the key document with the given data key from the key vault collection.- Parameters:
id
- the data key UUID (BSON binary subtype 0x04)- Returns:
- a Publisher containing the delete result
- Since:
- 4.7
-
getKey
Finds a single key document with the given UUID (BSON binary subtype 0x04).- Parameters:
id
- the data key UUID (BSON binary subtype 0x04)- Returns:
- a Publisher containing the single key document or an empty publisher if there is no match
- Since:
- 4.7
-
getKeys
FindPublisher<BsonDocument> getKeys()Finds all documents in the key vault collection.- Returns:
- a find publisher for the documents in the key vault collection
- Since:
- 4.7
-
addKeyAltName
Adds a keyAltName to the keyAltNames array of the key document in the key vault collection with the given UUID.- Parameters:
id
- the data key UUID (BSON binary subtype 0x04)keyAltName
- the alternative key name to add to the keyAltNames array- Returns:
- a Publisher containing the previous version of the key document or an empty publisher if no match
- Since:
- 4.7
-
removeKeyAltName
Removes a keyAltName from the keyAltNames array of the key document in the key vault collection with the given id.- Parameters:
id
- the data key UUID (BSON binary subtype 0x04)keyAltName
- the alternative key name- Returns:
- a Publisher containing the previous version of the key document or an empty publisher if there is no match
- Since:
- 4.7
-
getKeyByAltName
Returns a key document in the key vault collection with the given keyAltName.- Parameters:
keyAltName
- the alternative key name- Returns:
- a Publisher containing the matching key document or an empty publisher if there is no match
- Since:
- 4.7
-
rewrapManyDataKey
Decrypts multiple data keys and (re-)encrypts them with the current masterKey.- Parameters:
filter
- the filter- Returns:
- a Publisher containing the result
- Since:
- 4.7
-
rewrapManyDataKey
Decrypts multiple data keys and (re-)encrypts them with a new masterKey, or with their current masterKey if a new one is not given.- Parameters:
filter
- the filteroptions
- the options- Returns:
- a Publisher containing the result
- Since:
- 4.7
-
createEncryptedCollection
Publisher<BsonDocument> createEncryptedCollection(MongoDatabase database, String collectionName, CreateCollectionOptions createCollectionOptions, CreateEncryptedCollectionParams createEncryptedCollectionParams) Create a new collection with encrypted fields, automatically creating new data encryption keys when needed based on the configuredencryptedFields
, which must be specified. This method does not modify the configuredencryptedFields
when creating new data keys, instead it creates a new configuration if needed.- Parameters:
database
- The database to use for creating the collection.collectionName
- The name for the collection to create.createCollectionOptions
- Options for creating the collection.createEncryptedCollectionParams
- Auxiliary parameters for creating an encrypted collection.- Returns:
- A publisher of the (potentially updated)
encryptedFields
configuration that was used to create the collection. A user may use this document to configureAutoEncryptionSettings.getEncryptedFieldsMap()
.Signals
MongoUpdatedEncryptedFieldsException
if an exception happens after creating at least one data key. This exception makes the updatedencryptedFields
available to the caller. - Since:
- 4.9
- MongoDB documentation
- Create Command
- Since server release
- 7.0
-
close
void close()- Specified by:
close
in interfaceAutoCloseable
- Specified by:
close
in interfaceCloseable
-