MongoDB\Driver\Manager::createClientEncryption
(mongodb >=1.7.0)
MongoDB\Driver\Manager::createClientEncryption — Create a new ClientEncryption object
Description
$options
): MongoDB\Driver\ClientEncryptionConstructs a new MongoDB\Driver\ClientEncryption object with the specified options.
Parameters
-
options
-
options Option Type Description keyVaultClient MongoDB\Driver\Manager The Manager used to route data key queries to a separate MongoDB cluster. By default, the current Manager and cluster is used. keyVaultNamespace string A fully qualified namespace (e.g. "databaseName.collectionName"
) denoting the collection that contains all data keys used for encryption and decryption.kmsProviders array A document containing the configuration for one or more KMS providers, which are used to encrypt data keys. Supported providers include
"aws"
,"azure"
,"gcp"
,"kmip"
, and"local"
and at least one must be specified.The format for
"aws"
is as follows:aws: { accessKeyId: <string>, secretAccessKey: <string> }
The format for
"azure"
is as follows:azure: { tenantId: <string>, clientId: <string>, clientSecret: <string>, identityPlatformEndpoint: <optional string> // Defaults to "login.microsoftonline.com" }
The format for
"gcp"
is as follows:gcp: { email: <string>, privateKey: <base64 string>|<MongoDB\BSON\Binary>, endpoint: <optional string> // Defaults to "oauth2.googleapis.com" }
The format for
"kmip"
is as follows:kmip: { endpoint: <string> }
The format for
"local"
is as follows:local: { // 96-byte master key used to encrypt/decrypt data keys key: <base64 string>|<MongoDB\BSON\Binary> }
tlsOptions array A document containing the TLS configuration for one or more KMS providers. Supported providers include
"aws"
,"azure"
,"gcp"
, and"kmip"
. All providers support the following options:<provider>: { tlsCaFile: <optional string>, tlsCertificateKeyFile: <optional string>, tlsCertificateKeyFilePassword: <optional string> }
Return Values
Returns a new MongoDB\Driver\ClientEncryption instance.
Errors/Exceptions
- Throws MongoDB\Driver\Exception\InvalidArgumentException on argument parsing errors.
- Throws MongoDB\Driver\Exception\RuntimeException if the extension was compiled without libmongocrypt support
Changelog
Version | Description |
---|---|
PECL mongodb 1.12.0 |
KMIP is now supported as a KMS provider for client-side encryption and
may be configured in the
Added the |
PECL mongodb 1.10.0 |
Azure and GCP are now supported as KMS providers for client-side
encryption and may be configured in the
"kmsProviders" option. Base64-encoded strings are now
accepted as an alternative to MongoDB\BSON\Binary
for options within "kmsProviders" .
|
See Also
- MongoDB\Driver\ClientEncryption::__construct() - Create a new ClientEncryption object
- » Explicit (Manual) Client-Side Field Level Encryption in the MongoDB manual