Navigation

KeyVault.getKeyByAltName()

On this page

New in version 4.2.

beta

Client-Side Field Level Encryption is available as a beta. The contents of this page may change during the beta period.

KeyVault.getKeyByAltName(keyAltName)

Gets all data keys with the specified keyAltName.

getKeyByAltName() has the following syntax:

keyVault = db.getMongo().getKeyVault()

keyVault.getKeyByAltName("keyAltName")
returns:

Document representing a matching data key.

Returns nothing if no data key has the specified keyAltName.

Behavior

Requires Configuring Client-Side Field Level Encryption on Database Connection

The mongo client-side field level encrytion methods require a database connection with client-side field level encryption enabled. If the current database connection was not initiated with client-side field level encryption enabled, either:

  • Use the Mongo() constructor from the mongo shell to establish a connection with the required client-side field level encryption options. The Mongo() method supports both Amazon Web Services and Local Key Management Service (KMS) providers for Customer Master Key (CMK) management.

    or

  • Use the mongo shell command line options to establish a connection with the required options. The command line options only support the AWS KMS provider for CMK management.

Example

The following example uses a locally managed KMS for the client-side field level encryption configuration.

Configuring client-side field level encryption for a locally managed key requires specifying a base64-encoded 96-byte string with no line breaks. The following operation generates a key that meets the stated requirements:

echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')"

Create a mongo shell session using the --nodb option and issue the following operation from that shell:

mongo --nodb

From the mongo shell session, issue the following operation to create the client-side field level encryption configuration object. Replace the key string with a valid base64-encoded 96-byte string, such as the one genereated using the code provided at the beginning of this example:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0, "96-BYTE_LOCAL_KEY_STRING")
    }
  }
}

Use the Mongo() constructor to create a database connection with the client-side field level encryption options. Replace the mongodb://myMongo.example.net URI with the connection string URI of the target cluster.

encryptedClient = Mongo(
  "mongodb://myMongo.example.net:27017/?replSetName=myMongo",
  clientSideFLEOptions
)

Retrieve the KeyVault object and use the KeyVault.getKeyByAltName() method to retrieve the data key whose keyAltNames array includes the specified key alternate name:

keyVault.getKeyByAltName("data-encryption-key")

getKeyByAltName() returns the following data key:

{
    "_id" : UUID("b4b41b33-5c97-412e-a02b-743498346079"),
    "keyMaterial" : BinData(0,"PXRsLOAYxhzTS/mFQAI8486da7BwZgqA91UI7NKz/T/AjB0uJZxTvhvmQQsKbCJYsWVS/cp5Rqy/FUX2zZwxJOJmI3rosPhzV0OI5y1cuXhAlLWlj03CnTcOSRzE/YIrsCjMB0/NyiZ7MRWUYzLAEQnE30d947XCiiHIb8a0kt2SD0so8vZvSuP2n0Vtz4NYqnzF0CkhZSWFa2e2yA=="),
    "creationDate" : ISODate("2019-08-12T21:21:30.569Z"),
    "updateDate" : ISODate("2019-08-12T21:21:30.569Z"),
    "status" : 0,
    "version" : NumberLong(0),
    "masterKey" : {
        "provider" : "local"
    },
    "keyAltNames" : [
        "data-encryption-key"
    ]
}