ClientEncryption.createEncryptedCollection()
New in version 7.0.
ClientEncryption.createEncryptedCollection(dbName, collName, clientEncOpts)ClientEncryption.createEncryptedCollectioncreates an encrypted collection specified bycollNameon the database specified bydbName.
Compatibility
This command is available in deployments hosted in the following environments:
MongoDB Atlas: The fully managed service for MongoDB deployments in the cloud
MongoDB Enterprise: The subscription-based, self-managed version of MongoDB
MongoDB Community: The source-available, free-to-use, and self-managed version of MongoDB
Syntax
ClientEncryption.createEncryptedCollection has the
following syntax:
clientEncryption = db.getMongo().getClientEncryption() clientEncryption.createEncryptedCollection( dbName, collName, { provider: kmsProviderName, createCollectionOptions: encryptedFieldsMap, masterKey: customerMasterKeyCredentials } )
Command Fields
createEncryptedCollection takes these fields:
Field | Type | Necessity | Description |
|---|---|---|---|
| string | Required | Name of the database to encrypt. |
| string | Required | Name of the collection to encrypt. |
| document | Required | Options to configure the encrypted collection. |
| string | Required | KMS you are using to store your Customer Master Key. |
| document | Required | Fields to encrypt. See Specify Fields for Encryption
for details on how to configure the |
| document | Optional | How to get the master key when the KMS Provider is AWS, GCP, or Azure. |
Behavior
The mongosh client-side field level and queryable
encryption methods require a database connection configured for
client-side encryption. If the current database connection was not
initiated with client-side field level encryption enabled, either:
Use the
Mongo()constructor from themongoshto establish a connection with the required client-side field level encryption options. TheMongo()method supports the following Key Management Service (KMS) providers for Customer Master Key (CMK) management:
or
Use the
mongoshcommand line options to establish a connection with the required options. The command line options only support the Amazon Web Services KMS provider for CMK management.
Example
The following example uses a locally managed KMS for the Queryable Encryption configuration.
Create Your Encrypted Connection
Start mongosh
Run:
mongosh --nodb --nodbmeans don't connect to a database.Generate a Key String
Generate a base 64 96-byte string:
const TEST_LOCAL_KEY = require("crypto").randomBytes(96).toString("base64") Create an Encryption Options Object
To create a client-side field level encryption options object, use the
TEST_LOCAL_KEYstring from the previous step:var autoEncryptionOpts = { "keyVaultNamespace" : "encryption.__dataKeys", "kmsProviders" : { "local" : { "key" : BinData(0, TEST_LOCAL_KEY) } } } Create an Encrypted Client Object
To create an encrypted client object, use the
Mongo()constructor. Replace themongodb://myMongo.example.netURI with the connection string URI for the target cluster. For example:encryptedClient = Mongo( "mongodb://myMongo.example.net:27017/?replSetName=myMongo", autoEncryptionOpts )
Create Your Encrypted Collection
Create an encrypted enc.users collection:
clientEncryption = encryptedClient.getClientEncryption(); var result = clientEncryption.createEncryptedCollection( "enc", "users", { provider: "local", createCollectionOptions: encryptedFieldsMap, masterKey: {} // masterKey is optional when provider is local } )
Learn More
For complete documentation on initiating MongoDB connections with client-side field level encryption enabled, see
Mongo().For a complete example of how to create and query an encrypted collection, see Queryable Encryption Quick Start.