encryption
– Client-Side Field Level Encryption
Support for explicit client-side field level encryption.
class pymongo.encryption.Algorithm
An enum that defines the supported encryption algorithms.
class pymongo.encryption.ClientEncryption
(kms_providers, key_vault_namespace, key_vault_client, codec_options)
Explicit client-side field level encryption.
The ClientEncryption class encapsulates explicit operations on a key vault collection that cannot be done directly on a MongoClient. Similar to configuring auto encryption on a MongoClient, it is constructed with a MongoClient (to a MongoDB cluster containing the key vault collection), KMS provider configuration, and keyVaultNamespace. It provides an API for explicitly encrypting and decrypting values, and creating data keys. It does not provide an API to query keys from the key vault collection, as this can be done directly on the MongoClient.
See Explicit Encryption for an example.
Parameters: |
|
---|
New in version 3.9.
close
()Release resources.
Note that using this class in a with-statement will automatically call close():
with ClientEncryption(...) as client_encryption:
encrypted = client_encryption.encrypt(value, ...)
decrypted = client_encryption.decrypt(encrypted)
create_data_key
(kms_provider, master_key=None, key_alt_names=None)Create and insert a new data key into the key vault collection.
Parameters: kms_provider: The KMS provider to use. Supported values are “aws” and “local”.
master_key: Identifies a KMS-specific key used to encrypt the new data key. If the kmsProvider is “local” the master_key is not applicable and may be omitted.
If the kms_provider is “aws” it is required and has the following fields:
-
region
(string): Required. The AWS region, e.g. “us-east-1”.-
key
(string): Required. The Amazon Resource Name (ARN) tothe AWS customer.
-
endpoint
(string): Optional. An alternate host to send KMSrequests to. May include port number, e.g.
“kms.us-east-1.amazonaws.com:443”.
If the kms_provider is “azure” it is required and has the following fields:
-
keyVaultEndpoint
(string): Required. Host with optionalport, e.g. “example.vault.azure.net”.
-
keyName
(string): Required. Key name in the key vault.-
keyVersion
(string): Optional. Version of the key to use.
If the kms_provider is “gcp” it is required and has the following fields:
-
projectId
(string): Required. The Google cloud project ID.-
location
(string): Required. The GCP location, e.g. “us-east1”.-
keyRing
(string): Required. Name of the key ring that containsthe key to use.
-
keyName
(string): Required. Name of the key to use.-
keyVersion
(string): Optional. Version of the key to use.-
endpoint
(string): Optional. Host with optional port.Defaults to “cloudkms.googleapis.com”.
key_alt_names (optional): An optional list of string alternate names used to reference a key. If a key is created with alternate names, then encryption may refer to the key by the unique alternate name instead of by
key_id
. The following example shows creating and referring to a data key by alternate name:client_encryption.create_data_key(“local”, keyAltNames=[“name1”])
# reference the key with the alternate name
client_encryption.encrypt(“457-55-5462”, keyAltName=”name1”,
algorithm=Algorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Random)
Returns: The
_id
of the created data key document as a Binary with subtype UUID_SUBTYPE.decrypt
(value)Decrypt an encrypted value.
Parameters: - value (Binary): The encrypted value, a Binary with subtype 6.
Returns: The decrypted BSON value.
encrypt
(value, algorithm, key_id=None, key_alt_name=None)Encrypt a BSON value with a given key and algorithm.
Note that exactly one of
key_id
orkey_alt_name
must be provided.Parameters: - value: The BSON value to encrypt.
- algorithm (string): The encryption algorithm to use. See Algorithm for some valid options.
- key_id: Identifies a data key by
_id
which must be a Binary with subtype 4 ( UUID_SUBTYPE). - key_alt_name: Identifies a key vault document by ‘keyAltName’.
Returns: The encrypted value, a Binary with subtype 6.