Home  >  Article  >  Backend Development  >  How to maintain consistent encryption keys in MongoDB client field-level encryption?

How to maintain consistent encryption keys in MongoDB client field-level encryption?

王林
王林forward
2024-02-06 09:00:13494browse

How to maintain consistent encryption keys in MongoDB client field-level encryption?

Question content

I am using MongoDB client-side field-level encryption to encrypt and decrypt data. However, I noticed that every time I execute the program, the original binary key changes. This makes it difficult for me to retrieve previously encrypted data because I can't decrypt it with the new key.

Is there a way to maintain consistent encryption keys for client-side field-level encryption in MongoDB? If so, how can I do it?

https://www.mongodb.com/docs/manual/core/csfle/fundamentals/manual-encryption/#std-label-csfle-fundamentals-manual-encryption

https://go.dev/play/p/6W8e0OiPV2L

I'm trying to implement client-side field-level encryption in a MongoDB community project so that certain fields in a document are encrypted before being stored in the database, and then decrypted when retrieving them from the database.

I have been following the MongoDB documentation and was able to successfully encrypt and decrypt data the first time I executed the program. However, I noticed that the key changes every time I run the program again, and I want to keep the key the same.


Correct Answer


These lines should be deleted:

// drop the key vault collection in case you created this collection
// in a previous run of this application.
if err = client.database(keyvaultdb).collection(keyvaultcoll).drop(context.todo()); err != nil {
    log.fatalf("collection.drop error: %v", err)
}

The following line is only required if the key does not already exist:

dataKeyID, err := clientEnc.CreateDataKey(context.TODO(), provider, dataKeyOpts)
if err != nil {
    log.Fatalf("CreateDataKey error: %v", err)
}

Maybe first call clientenc.getkeybyaltname to check if the key exists.

By saying "the original binary key changes", I think you mean the data encryption key (dek) changes. This is caused by the collection where dek is stored being deleted.

See Keys and Key Vaults:

The customer master key (cmk) is the key you use to encrypt the data encryption key (dek)....

The data encryption key (dek) is the key used to encrypt fields in mongodb documents. You store your data encryption keys in a key vault collection encrypted using cmk...

If you delete a data encryption key (dek), all fields encrypted with that dek will become permanently unreadable.

If you remove a cmk, all fields encrypted by dek encrypted using that cmk will become permanently unreadable.

The above is the detailed content of How to maintain consistent encryption keys in MongoDB client field-level encryption?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:stackoverflow.com. If there is any infringement, please contact admin@php.cn delete