Navigation

Mongo()

Description

Changed in version 4.2.

Mongo(host, ClientSideFieldLevelEncryptionOptions)

JavaScript constructor to instantiate a database connection from the mongo shell or from a JavaScript file.

The Mongo() method has the following parameters:

Parameter Type Description
host string

Optional. The host, either in the form of <host> or <host><:port>.

If omitted, Mongo instantiates a connection to the localhost interface on the default port 27017.

ClientSideFieldLevelEncryptionOptions Document

Optional

New in version 4.2.

Configuration parameters for enabling Client-Side Field Level Encryption.

beta

Client-Side Field Level Encryption is available as a beta. The contents of this page may change during the beta period.

ClientSideFieldLevelEncryptionOptions overrides the existing client-side field level encryption configuration of the database connection. If omitted, Mongo() inherits the client-side field level encryption configuration of the current database connection.

For documentation of usage and syntax, see ClientSideFieldLevelEncryptionOptions.

ClientSideFieldLevelEncryptionOptions

New in version 4.2.

The ClientSideFieldLevelEncryptionOptions document specifies configuration options for Client-Side Field Level Encryption. If the database connection has an existing client-side field level encryption configuration, specifying ClientSideFieldLevelEncryptionOptions overrides that configuration.

For example, starting the mongo shell with client-side field level encryption command-line options enables client-side encryption for that connection. New database connections created using Mongo() inherit the encryption settings unless Mongo() includes ClientSideFieldLevelEncryptionOptions.

The ClientSideFieldLevelEncryptionOptions document has the following syntax:

{
  "keyVaultClient" : <object>,
  "keyVaultNamespace" : "<string>",
  "kmsProvider" : <object>,
  "schemaMap" : <object>,
  "bypassAutoEncryption" : <boolean>
}

The ClientSideFieldLevelEncryptionOptions document takes the following parameters:

Parameter Type Description
keyVaultClient Mongo() connection object.

(Optional) The MongoDB cluster hosting the key vault collection. Omit to use the current database connection as the key vault host.

Specify a Mongo() connection object pointing to the cluster:

var keyVaultClient = Mongo(<MongoDB URI>);

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultClient" : keyVaultClient,
  "keyVaultNamespace" : "<database>.<collection>",
  "kmsProvider" : { ... }
}
keyVaultNamespace string (Required) The full namespace of the key vault collection.
kmsProvider document

(Required) The Key Management Service (KMS) used by client-side field level encryption for managing a Customer Master Key (CMK). Client-side field level encryption uses the CMK for encrypting and decrypting data keys.

Client-side field level encryption either the Amazon Web Services KMS or a Locally Managed Key:

Amazon Web Services KMS

Warning

The 4.2.0 and 4.2.1 mongo shell does not support the AWS KMS service due to an unexpected change in the KMS response object. Previously functional applications using the mongo shell to perform client-side field level encryption using AWS KMS may now return errors during encryption operations. Official MongoDB 4.2-compatible drivers with client-side field level encryption support are unaffected.

SERVER-44721 documents the issue and is scheduled for the future 4.2.2 release.

Specify the aws document to kmsProvider with the following fields:

"kmsProvider" : {
   "aws" : {
     "accessKeyId" : "AWSAccessKeyId",
     "secretAccessKey" : "AWSSecretAccessKey"
   }
 }

The specified accessKeyId must correspond to an IAM user with all List and Read permissions for the KMS service.

Locally Managed Key

Specify the local document to kmsProvider with the following field:

"kmsProvider" : {
  "local" : {
     "key" : BinData(0, "<96 byte base-64 encoded key>")
  }
}

The specified key must be a base64-encoded 96-byte string with no newline characters.

schemaMap document

(Optional) The automatic client-side field level encryption rules specified using the JSON schema Draft 4 standard syntax and encryption-specific keywords.

For complete documentation, see Automatic Encryption JSON Schema Syntax.

bypassAutoEncryption boolean (Optional) Specify true to bypass automatic client-side field level encryption rules and perform explicit (manual) per-field encryption.

Example

Connect to a MongoDB Cluster

The following operation creates a new connection object from the mongo shell:

cluster = Mongo("mongodb://mymongo.example.net:27017/?replicaSet="myMongoCluster")

Issue operations against the cluster object to interact with the mymongo.example.net:27017 cluster:

myDB = cluster.getDB("myDB"); //returns the database object
myColl = myDB.myColl("myColl"); // returns the collection object

Connect to a MongoDB Cluster with Client-Side Encryption Enabled

Configuring client-side field level encryption for a locally managed key requires specifying a base64-encoded 96-byte string with no line breaks. The following operation generates a key that meets the stated requirements and loads it into the mongo shell:

TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")

mongo --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"

The following operation creates a new connection object from the mongo shell. The ClientSideFieldLevelEncryptionOptions option specifies the required options for enabling client-side field level encryption using a locally managed key:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0, TEST_LOCAL_KEY)
    }
  }
}

cluster = Mongo(
  "mongodb://mymongo.example.net:27017/?replicaSet="myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Issue operations against the cluster object to interact with the mymongo.example.net:27017 cluster and perform explicit encryption:

// returns the database object
myDB = cluster.getDB("myDB");

// returns the collection object
myColl = myDB.myColl("myColl");

// returns object for managing data keys
keyVault = cluster.getKeyVault();

// returns object for explicit encryption/decryption
clientEncryption = cluster.getClientEncryption();

See Client-Side Field Level Encryption Methods for a complete list of client-side field level encryption methods.

Connect to a MongoDB Cluster with Automatic Client-Side Encryption Enabled

Configuring client-side field level encryption for a locally managed key requires specifying a base64-encoded 96-byte string with no line breaks. The following operation generates a key that meets the stated requirements and loads it into the mongo shell:

TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")

mongo --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"

The following operation creates a new connection object from the mongo shell. The ClientSideFieldLevelEncryptionOptions option specifies the required options for enabling automatic client-side encryption on the hr.employees collection:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0,"BASE64-ENCODED-96-BYTE-LOCAL-KEY")
    }
  },
  schemaMap : {
    "hr.employees" : {
      "bsonType": "object",
      "properties" : {
        "ssn" : {
          "encrypt" : {
            "keyId" : UUID("bffb361b-30d3-42c0-b7a4-d24a272b72e3"),
            "bsonType" : "string",
            "algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
          }
        }
      }
    }
  }
}

cluster = Mongo(
  "mongodb://mymongo.example.net:27017/?replicaSet="myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Issue operations against the cluster object to interact with the mymongo.example.net:27017 cluster and utilize automatic encryption:

// returns the database object
myDB = cluster.getDB("myDB");

// returns the collection object
myColl = myDB.myColl("myColl");

myColl.insertOne({"name" : "J Doe", "ssn" : "123-45-6789"})

The specified automatic encryption rules encrypt the ssn field using the specified data key and algorithm. Only clients configured for the correct KMS and access to the specified data key can decrypt the field.

See Client-Side Field Level Encryption Methods for a complete list of client-side field level encryption methods.

←   connect() Mongo.getDB()  →