public void ClientSideExplicitEncryptionAndDecryptionTour()
{
RequireServer.Check().Supports(Feature.ClientSideEncryption);
var localMasterKey = Convert.FromBase64String(LocalMasterKey);
var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >();
var localKey = new Dictionary <string, object>
{
{ "key", localMasterKey }
};
kmsProviders.Add("local", localKey);
var keyVaultNamespace = CollectionNamespace.FromFullName("encryption.__keyVault");
var keyVaultClient = new MongoClient("mongodb://localhost");
var keyVaultDatabase = keyVaultClient.GetDatabase(keyVaultNamespace.DatabaseNamespace.DatabaseName);
keyVaultDatabase.DropCollection(keyVaultNamespace.CollectionName);
// Create the ClientEncryption instance
var clientEncryptionSettings = new ClientEncryptionOptions(
keyVaultClient,
keyVaultNamespace,
kmsProviders);
using (var clientEncryption = new ClientEncryption(clientEncryptionSettings))
{
var dataKeyId = clientEncryption.CreateDataKey(
"local",
new DataKeyOptions(),
CancellationToken.None);
var originalString = "123456789";
_output.WriteLine($"Original string {originalString}.");
// Explicitly encrypt a field
var encryptOptions = new EncryptOptions(
EncryptionAlgorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic.ToString(),
keyId: dataKeyId);
var encryptedFieldValue = clientEncryption.Encrypt(
originalString,
encryptOptions,
CancellationToken.None);
_output.WriteLine($"Encrypted value {encryptedFieldValue}.");
// Explicitly decrypt the field
var decryptedValue = clientEncryption.Decrypt(encryptedFieldValue, CancellationToken.None);
_output.WriteLine($"Decrypted value {decryptedValue}.");
}
}
private Guid CreateDataKey(
ClientEncryption clientEncryption,
string kmsProvider,
DataKeyOptions dataKeyOptions,
bool async)
{
if (async)
{
return(clientEncryption
.CreateDataKeyAsync(kmsProvider, dataKeyOptions, CancellationToken.None)
.GetAwaiter()
.GetResult());
}
else
{
return(clientEncryption.CreateDataKey(kmsProvider, dataKeyOptions, CancellationToken.None));
}
}
// public void ClientSideEncryptionAutoEncryptionSettingsTour()
public static void Main(string[] args)
{
var localMasterKey = Convert.FromBase64String(LocalMasterKey);
var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >();
var localKey = new Dictionary <string, object>
{
{ "key", localMasterKey }
};
kmsProviders.Add("local", localKey);
var keyVaultDB = "keyVault";
var keystore = "__keystore";
var keyVaultNamespace = CollectionNamespace.FromFullName($"{keyVaultDB}.{keystore}");
var keyVaultMongoClient = new MongoClient();
var clientEncryptionSettings = new ClientEncryptionOptions(
keyVaultMongoClient,
keyVaultNamespace,
kmsProviders);
var clientEncryption = new ClientEncryption(clientEncryptionSettings);
keyVaultMongoClient.GetDatabase(keyVaultDB).DropCollection(keystore);
var altKeyName = new[] { "csharpDataKey01" };
var dataKeyOptions = new DataKeyOptions(alternateKeyNames: altKeyName);
var dataKeyId = clientEncryption.CreateDataKey("local", dataKeyOptions, CancellationToken.None);
var base64DataKeyId = Convert.ToBase64String(GuidConverter.ToBytes(dataKeyId, GuidRepresentation.Standard));
clientEncryption.Dispose();
var collectionNamespace = CollectionNamespace.FromFullName("test.coll");
var schemaMap = $@"{{
properties: {{
SSN: {{
encrypt: {{
keyId: [{{
'$binary' : {{
'base64' : '{base64DataKeyId}',
'subType' : '04'
}}
}}],
bsonType: 'string',
algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
}}
}}
}},
'bsonType': 'object'
}}";
var autoEncryptionSettings = new AutoEncryptionOptions(
keyVaultNamespace,
kmsProviders,
schemaMap: new Dictionary <string, BsonDocument>()
{
{ collectionNamespace.ToString(), BsonDocument.Parse(schemaMap) }
});
var clientSettings = new MongoClientSettings
{
AutoEncryptionOptions = autoEncryptionSettings
};
var client = new MongoClient(clientSettings);
var database = client.GetDatabase("test");
database.DropCollection("coll");
var collection = database.GetCollection <BsonDocument>("coll");
collection.InsertOne(new BsonDocument("SSN", "123456789"));
var result = collection.Find(FilterDefinition <BsonDocument> .Empty).First();
Console.WriteLine(result.ToJson());
}
public void ClientSideExplicitEncryptionAndAutoDecryptionTour()
{
RequireServer.Check().Supports(Feature.ClientSideEncryption);
var localMasterKey = Convert.FromBase64String(LocalMasterKey);
var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >();
var localKey = new Dictionary <string, object>
{
{ "key", localMasterKey }
};
kmsProviders.Add("local", localKey);
var keyVaultNamespace = CollectionNamespace.FromFullName("encryption.__keyVault");
var collectionNamespace = CollectionNamespace.FromFullName("test.coll");
var autoEncryptionOptions = new AutoEncryptionOptions(
keyVaultNamespace,
kmsProviders,
bypassAutoEncryption: true);
var clientSettings = MongoClientSettings.FromConnectionString("mongodb://localhost");
clientSettings.AutoEncryptionOptions = autoEncryptionOptions;
var mongoClient = new MongoClient(clientSettings);
var database = mongoClient.GetDatabase(collectionNamespace.DatabaseNamespace.DatabaseName);
database.DropCollection(collectionNamespace.CollectionName);
var collection = database.GetCollection <BsonDocument>(collectionNamespace.CollectionName);
var keyVaultClient = new MongoClient("mongodb://localhost");
var keyVaultDatabase = keyVaultClient.GetDatabase(keyVaultNamespace.DatabaseNamespace.DatabaseName);
keyVaultDatabase.DropCollection(keyVaultNamespace.CollectionName);
// Create the ClientEncryption instance
var clientEncryptionSettings = new ClientEncryptionOptions(
keyVaultClient,
keyVaultNamespace,
kmsProviders);
using (var clientEncryption = new ClientEncryption(clientEncryptionSettings))
{
var dataKeyId = clientEncryption.CreateDataKey(
"local",
new DataKeyOptions(),
CancellationToken.None);
var originalString = "123456789";
_output.WriteLine($"Original string {originalString}.");
// Explicitly encrypt a field
var encryptOptions = new EncryptOptions(
EncryptionAlgorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic.ToString(),
keyId: dataKeyId);
var encryptedFieldValue = clientEncryption.Encrypt(
originalString,
encryptOptions,
CancellationToken.None);
_output.WriteLine($"Encrypted value {encryptedFieldValue}.");
collection.InsertOne(new BsonDocument("encryptedField", encryptedFieldValue));
// Automatically decrypts the encrypted field.
var decryptedValue = collection.Find(FilterDefinition <BsonDocument> .Empty).First();
_output.WriteLine($"Decrypted document {decryptedValue.ToJson()}.");
}
}
public void ClientSideEncryptionAutoEncryptionSettingsTour()
{
RequireServer.Check().Supports(Feature.ClientSideEncryption);
var localMasterKey = Convert.FromBase64String(LocalMasterKey);
var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >();
var localKey = new Dictionary <string, object>
{
{ "key", localMasterKey }
};
kmsProviders.Add("local", localKey);
var keyVaultNamespace = CollectionNamespace.FromFullName("admin.datakeys");
var keyVaultMongoClient = new MongoClient();
var clientEncryptionSettings = new ClientEncryptionOptions(
keyVaultMongoClient,
keyVaultNamespace,
kmsProviders);
var clientEncryption = new ClientEncryption(clientEncryptionSettings);
var dataKeyId = clientEncryption.CreateDataKey("local", new DataKeyOptions(), CancellationToken.None);
var base64DataKeyId = Convert.ToBase64String(GuidConverter.ToBytes(dataKeyId, GuidRepresentation.Standard));
clientEncryption.Dispose();
var collectionNamespace = CollectionNamespace.FromFullName("test.coll");
var schemaMap = $@"{{
properties: {{
encryptedField: {{
encrypt: {{
keyId: [{{
'$binary' : {{
'base64' : '{base64DataKeyId}',
'subType' : '04'
}}
}}],
bsonType: 'string',
algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
}}
}}
}},
'bsonType': 'object'
}}";
var autoEncryptionSettings = new AutoEncryptionOptions(
keyVaultNamespace,
kmsProviders,
schemaMap: new Dictionary <string, BsonDocument>()
{
{ collectionNamespace.ToString(), BsonDocument.Parse(schemaMap) }
});
var clientSettings = new MongoClientSettings
{
AutoEncryptionOptions = autoEncryptionSettings
};
var client = new MongoClient(clientSettings);
var database = client.GetDatabase("test");
database.DropCollection("coll");
var collection = database.GetCollection <BsonDocument>("coll");
collection.InsertOne(new BsonDocument("encryptedField", "123456789"));
var result = collection.Find(FilterDefinition <BsonDocument> .Empty).First();
_output.WriteLine(result.ToJson());
}
