Interface ClientEncryption
- All Superinterfaces:
AutoCloseable
,Closeable
The Key vault.
Used to create data encryption keys, and to explicitly encrypt and decrypt values when auto-encryption is not an option.
- Since:
- 1.12
-
Method Summary
Modifier and TypeMethodDescriptionaddKeyAltName
(BsonBinary id, String keyAltName) Adds a keyAltName to the keyAltNames array of the key document in the key vault collection with the given UUID.void
close()
createDataKey
(String kmsProvider) Create a data key with the given KMS provider.createDataKey
(String kmsProvider, com.mongodb.client.model.vault.DataKeyOptions dataKeyOptions) Create a data key with the given KMS provider and options.createEncryptedCollection
(MongoDatabase database, String collectionName, com.mongodb.client.model.CreateCollectionOptions createCollectionOptions, com.mongodb.client.model.CreateEncryptedCollectionParams createEncryptedCollectionParams) decrypt
(BsonBinary value) Decrypt the given value.Publisher<com.mongodb.client.result.DeleteResult>
deleteKey
(BsonBinary id) Removes the key document with the given data key from the key vault collection.Encrypt the given value with the given options.encryptExpression
(Bson expression, com.mongodb.client.model.vault.EncryptOptions options) Encrypts a Match Expression or Aggregate Expression to query a range index.getKey
(BsonBinary id) Finds a single key document with the given UUID (BSON binary subtype 0x04).getKeyByAltName
(String keyAltName) Returns a key document in the key vault collection with the given keyAltName.getKeys()
Finds all documents in the key vault collection.removeKeyAltName
(BsonBinary id, String keyAltName) Removes a keyAltName from the keyAltNames array of the key document in the key vault collection with the given id.Publisher<com.mongodb.client.model.vault.RewrapManyDataKeyResult>
rewrapManyDataKey
(Bson filter) Decrypts multiple data keys and (re-)encrypts them with the current masterKey.Publisher<com.mongodb.client.model.vault.RewrapManyDataKeyResult>
rewrapManyDataKey
(Bson filter, com.mongodb.client.model.vault.RewrapManyDataKeyOptions options) Decrypts multiple data keys and (re-)encrypts them with a new masterKey, or with their current masterKey if a new one is not given.
-
Method Details
-
createDataKey
Create a data key with the given KMS provider.Creates a new key document and inserts into the key vault collection.
- Parameters:
kmsProvider
- the KMS provider- Returns:
- a Publisher containing the identifier for the created data key
-
createDataKey
Publisher<BsonBinary> createDataKey(String kmsProvider, com.mongodb.client.model.vault.DataKeyOptions dataKeyOptions) Create a data key with the given KMS provider and options.Creates a new key document and inserts into the key vault collection.
- Parameters:
kmsProvider
- the KMS providerdataKeyOptions
- the options for data key creation- Returns:
- a Publisher containing the identifier for the created data key
-
encrypt
Publisher<BsonBinary> encrypt(BsonValue value, com.mongodb.client.model.vault.EncryptOptions options) Encrypt the given value with the given options.The driver may throw an exception for prohibited BSON value types
- Parameters:
value
- the value to encryptoptions
- the options for data encryption- Returns:
- a Publisher containing the encrypted value, a BSON binary of subtype 6
-
encryptExpression
Publisher<BsonDocument> encryptExpression(Bson expression, com.mongodb.client.model.vault.EncryptOptions options) Encrypts a Match Expression or Aggregate Expression to query a range index.The expression is expected to be in one of the following forms:
- A Match Expression of this form:
{$and: [{<field>: {$gt: <value1>}}, {<field>: {$lt: <value2> }}]}
- An Aggregate Expression of this form:
{$and: [{$gt: [<fieldpath>, <value1>]}, {$lt: [<fieldpath>, <value2>]}] }
$gt
may also be$gte
.$lt
may also be$lte
.Only supported when queryType is "range" and algorithm is "Range".
- Parameters:
expression
- the Match Expression or Aggregate Expressionoptions
- the options- Returns:
- a Publisher containing the queryable encrypted range expression
- Since:
- 4.9
- MongoDB documentation
- queryable encryption
- $match
- Since server release
- 8.0
- A Match Expression of this form:
-
decrypt
Decrypt the given value.- Parameters:
value
- the value to decrypt, which must be of subtype 6- Returns:
- a Publisher containing the decrypted value
-
deleteKey
Removes the key document with the given data key from the key vault collection.- Parameters:
id
- the data key UUID (BSON binary subtype 0x04)- Returns:
- a Publisher containing the delete result
- Since:
- 4.7
-
getKey
Finds a single key document with the given UUID (BSON binary subtype 0x04).- Parameters:
id
- the data key UUID (BSON binary subtype 0x04)- Returns:
- a Publisher containing the single key document or an empty publisher if there is no match
- Since:
- 4.7
-
getKeys
FindPublisher<BsonDocument> getKeys()Finds all documents in the key vault collection.- Returns:
- a find publisher for the documents in the key vault collection
- Since:
- 4.7
-
addKeyAltName
Adds a keyAltName to the keyAltNames array of the key document in the key vault collection with the given UUID.- Parameters:
id
- the data key UUID (BSON binary subtype 0x04)keyAltName
- the alternative key name to add to the keyAltNames array- Returns:
- a Publisher containing the previous version of the key document or an empty publisher if no match
- Since:
- 4.7
-
removeKeyAltName
Removes a keyAltName from the keyAltNames array of the key document in the key vault collection with the given id.- Parameters:
id
- the data key UUID (BSON binary subtype 0x04)keyAltName
- the alternative key name- Returns:
- a Publisher containing the previous version of the key document or an empty publisher if there is no match
- Since:
- 4.7
-
getKeyByAltName
Returns a key document in the key vault collection with the given keyAltName.- Parameters:
keyAltName
- the alternative key name- Returns:
- a Publisher containing the matching key document or an empty publisher if there is no match
- Since:
- 4.7
-
rewrapManyDataKey
Decrypts multiple data keys and (re-)encrypts them with the current masterKey.- Parameters:
filter
- the filter- Returns:
- a Publisher containing the result
- Since:
- 4.7
-
rewrapManyDataKey
Publisher<com.mongodb.client.model.vault.RewrapManyDataKeyResult> rewrapManyDataKey(Bson filter, com.mongodb.client.model.vault.RewrapManyDataKeyOptions options) Decrypts multiple data keys and (re-)encrypts them with a new masterKey, or with their current masterKey if a new one is not given.- Parameters:
filter
- the filteroptions
- the options- Returns:
- a Publisher containing the result
- Since:
- 4.7
-
createEncryptedCollection
Publisher<BsonDocument> createEncryptedCollection(MongoDatabase database, String collectionName, com.mongodb.client.model.CreateCollectionOptions createCollectionOptions, com.mongodb.client.model.CreateEncryptedCollectionParams createEncryptedCollectionParams) Create a new collection with encrypted fields, automatically creating new data encryption keys when needed based on the configuredencryptedFields
, which must be specified. This method does not modify the configuredencryptedFields
when creating new data keys, instead it creates a new configuration if needed.- Parameters:
database
- The database to use for creating the collection.collectionName
- The name for the collection to create.createCollectionOptions
- Options for creating the collection.createEncryptedCollectionParams
- Auxiliary parameters for creating an encrypted collection.- Returns:
- A publisher of the (potentially updated)
encryptedFields
configuration that was used to create the collection. A user may use this document to configureAutoEncryptionSettings.getEncryptedFieldsMap()
.Signals
MongoUpdatedEncryptedFieldsException
if an exception happens after creating at least one data key. This exception makes the updatedencryptedFields
available to the caller. - Since:
- 4.9
- MongoDB documentation
- Create Command
- Since server release
- 7.0
-
close
void close()- Specified by:
close
in interfaceAutoCloseable
- Specified by:
close
in interfaceCloseable
-