MongoDB\Driver\ClientEncryption::createDataKey
(mongodb >=1.7.0)
MongoDB\Driver\ClientEncryption::createDataKey — Create a new encryption data key
Description
$kmsProvider
, array $options
= ?): MongoDB\BSON\BinaryCreates a new key document and inserts it into the key vault collection.
Parameters
-
kmsProvider
-
The KMS provider (e.g.
"local"
,"aws"
,"azure"
,"gcp"
) that will be used to encrypt the new encryption key. -
options
-
Data key options Option Type Description masterKey array The masterKey identifies a KMS-specific key used to encrypt the new data key. This option is required unless
kmsProvider
is"local"
.If
kmsProvider
is"aws"
, this option is required and has the following fields:AWS masterKey options Option Type Description region string Required. key string Required. The Amazon Resource Name (ARN) to the AWS customer master key (CMK). endpoint string Optional. An alternate host identifier to send KMS requests to. May include port number. If
kmsProvider
is"azure"
, this option is required and has the following fields:Azure masterKey options Option Type Description keyVaultEndpoint string Required. Host with optional port (e.g. "example.vault.azure.net"). keyName string Required. keyVersion string Optional. A specific version of the named key. Defaults to using the key's primary version. If
kmsProvider
is"gcp"
, this option is required and has the following fields:GCP masterKey options Option Type Description projectId string Required. location string Required. keyRing string Required. keyName string Required. keyVersion string Optional. A specific version of the named key. Defaults to using the key's primary version. endpoint string Optional. Host with optional port. Defaults to "cloudkms.googleapis.com". keyAltNames array An optional list of string alternate names used to reference a key. If a key is created with alternate names, then encryption may refer to the key by the unique alternate name instead of by
_id
.
Return Values
Returns the identifier of the new key as a MongoDB\BSON\Binary object with subtype 4 (UUID).
Errors/Exceptions
- Throws MongoDB\Driver\Exception\InvalidArgumentException on argument parsing errors.
- Throws MongoDB\Driver\Exception\EncryptionException if an error occurs while creating the data key
Changelog
Version | Description |
---|---|
PECL mongodb 1.10.0 | Azure and GCP are now supported as KMS providers for client-side encryption. |