public async void EncryptedWriteAndReadAsync(string keyIdBase64, KmsKeyLocation kmsKeyLocation)
{
// Construct a JSON Schema
var schema = JsonSchemaCreator.CreateJsonSchema(keyIdBase64);
// Construct an auto-encrypting client
var autoEncryptingClient = CreateAutoEncryptingClient(
kmsKeyLocation,
_keyVaultNamespace,
schema);
// Set our working database and collection to medicalRecords.patients
var collection = autoEncryptingClient
.GetDatabase(_medicalRecordsNamespace.DatabaseNamespace.DatabaseName)
.GetCollection <BsonDocument>(_medicalRecordsNamespace.CollectionName);
var ssnQuery = Builders <BsonDocument> .Filter.Eq("ssn", __sampleSsnValue);
// Upsert (update document if found, otherwise create it) a document into the collection
var medicalRecordUpdateResult = await collection
.UpdateOneAsync(ssnQuery, new BsonDocument("$set", __sampleDocFields), new UpdateOptions()
{
IsUpsert = true
});
if (!medicalRecordUpdateResult.UpsertedId.IsBsonNull)
{
Console.WriteLine("Successfully upserted the sample document!");
}
// Query by SSN field with auto-encrypting client
var result = collection.Find(ssnQuery).Single();
Console.WriteLine($"Encrypted client query by the SSN (deterministically-encrypted) field:\n {result}\n");
}
private IMongoClient CreateAutoEncryptingClient(
KmsKeyLocation kmsKeyLocation,
CollectionNamespace keyVaultNamespace,
BsonDocument schema)
{
var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >();
// Specify the local master encryption key
if (kmsKeyLocation == KmsKeyLocation.Local)
{
var localMasterKeyBase64 = File.ReadAllText(__localMasterKeyPath);
var localMasterKeyBytes = Convert.FromBase64String(localMasterKeyBase64);
var localOptions = new Dictionary <string, object>
{
{ "key", localMasterKeyBytes }
};
kmsProviders.Add("local", localOptions);
}
//
var schemaMap = new Dictionary <string, BsonDocument>();
schemaMap.Add(_medicalRecordsNamespace.ToString(), schema);
// Specify location of mongocryptd binary, if necessary
var extraOptions = new Dictionary <string, object>()
{
// uncomment the following line if you are running mongocryptd manually
// { "mongocryptdBypassSpawn", true }
};
// Create CSFLE-enabled MongoClient
// The addition of the automatic encryption settings are what
// change this from a standard MongoClient to a CSFLE-enabled one
var clientSettings = MongoClientSettings.FromConnectionString(_connectionString);
var autoEncryptionOptions = new AutoEncryptionOptions(
keyVaultNamespace: keyVaultNamespace,
kmsProviders: kmsProviders,
schemaMap: schemaMap,
extraOptions: extraOptions);
clientSettings.AutoEncryptionOptions = autoEncryptionOptions;
return(new MongoClient(clientSettings));
}
private IMongoClient CreateAutoEncryptingClient(
KmsKeyLocation kmsKeyLocation,
CollectionNamespace keyVaultNamespace,
BsonDocument schema)
{
var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >();
switch (kmsKeyLocation)
{
case KmsKeyLocation.Local:
var localMasterKeyBase64 = File.ReadAllText(__localMasterKeyPath);
var localMasterKeyBytes = Convert.FromBase64String(localMasterKeyBase64);
var localOptions = new Dictionary <string, object>
{
{ "key", localMasterKeyBytes }
};
kmsProviders.Add("local", localOptions);
break;
case KmsKeyLocation.AWS:
var awsAccessKey = Environment.GetEnvironmentVariable("FLE_AWS_ACCESS_KEY");
var awsSecretAccessKey = Environment.GetEnvironmentVariable("FLE_AWS_SECRET_ACCESS_KEY");
var awsKmsOptions = new Dictionary <string, object>
{
{ "accessKeyId", awsAccessKey },
{ "secretAccessKey", awsSecretAccessKey }
};
kmsProviders.Add("aws", awsKmsOptions);
break;
case KmsKeyLocation.Azure:
var azureTenantId = Environment.GetEnvironmentVariable("FLE_AZURE_TENANT_ID");
var azureClientId = Environment.GetEnvironmentVariable("FLE_AZURE_CLIENT_ID");
var azureClientSecret = Environment.GetEnvironmentVariable("FLE_AZURE_CLIENT_SECRET");
var azureIdentityPlatformEndpoint = Environment.GetEnvironmentVariable("FLE_AZURE_IDENTIFY_PLATFORM_ENPDOINT"); // Optional, only needed if user is using a non-commercial Azure instance
var azureKmsOptions = new Dictionary <string, object>
{
{ "tenantId", azureTenantId },
{ "clientId", azureClientId },
{ "clientSecret", azureClientSecret },
};
if (azureIdentityPlatformEndpoint != null)
{
azureKmsOptions.Add("identityPlatformEndpoint", azureIdentityPlatformEndpoint);
}
kmsProviders.Add("azure", azureKmsOptions);
break;
case KmsKeyLocation.GCP:
var gcpPrivateKey = Environment.GetEnvironmentVariable("FLE_GCP_PRIVATE_KEY");
var gcpEmail = Environment.GetEnvironmentVariable("FLE_GCP_EMAIL");
var gcpKmsOptions = new Dictionary <string, object>
{
{ "privateKey", gcpPrivateKey },
{ "email", gcpEmail },
};
kmsProviders.Add("gcp", gcpKmsOptions);
break;
}
var schemaMap = new Dictionary <string, BsonDocument>();
schemaMap.Add(_medicalRecordsNamespace.ToString(), schema);
var extraOptions = new Dictionary <string, object>()
{
// uncomment the following line if you are running mongocryptd manually
// { "mongocryptdBypassSpawn", true }
};
var clientSettings = MongoClientSettings.FromConnectionString(_connectionString);
var autoEncryptionOptions = new AutoEncryptionOptions(
keyVaultNamespace: keyVaultNamespace,
kmsProviders: kmsProviders,
schemaMap: schemaMap,
extraOptions: extraOptions);
clientSettings.AutoEncryptionOptions = autoEncryptionOptions;
return(new MongoClient(clientSettings));
}
