encryption – Client side encryption

    Support for client side encryption is in beta. Backwards-breaking changesmay be made before the final release.

    • class Algorithm
    • An enum that defines the supported encryption algorithms.
    • class pymongo.encryption.ClientEncryption(kms_providers, key_vault_namespace, key_vault_client, codec_options)
    • Explicit client side encryption.

    The ClientEncryption class encapsulates explicit operations on a keyvault collection that cannot be done directly on a MongoClient. Similarto configuring auto encryption on a MongoClient, it is constructed witha MongoClient (to a MongoDB cluster containing the key vaultcollection), KMS provider configuration, and keyVaultNamespace. Itprovides an API for explicitly encrypting and decrypting values, andcreating data keys. It does not provide an API to query keys from thekey vault collection, as this can be done directly on the MongoClient.

    Note

    Support for client side encryption is in beta.Backwards-breaking changes may be made before the final release.

    Parameters:

    • kms_providers: Map of KMS provider options. Two KMS providersare supported: “aws” and “local”. The kmsProviders map valuesdiffer by provider:

    • codec_options: An instance ofCodecOptions to use when encoding avalue for encryption and decoding the decrypted BSON value.

    New in version 3.9.

    • close()
    • Release resources.

    Note that using this class in a with-statement will automatically call:

    • createdata_key(_kms_provider, master_key=None, key_alt_names=None)
    • Create and insert a new data key into the key vault collection.

    Parameters:

    1. -

    kms_provider: The KMS provider to use. Supported values are“aws” and “local”.

    master_key: The master_key identifies a KMS-specific key usedto encrypt the new data key. If the kmsProvider is “local” themaster_key is not applicable and may be omitted.If the kms_provider is “aws”, master_key is required and musthave the following fields:

    • key (string): The Amazon Resource Name (ARN) to the AWScustomer master key (CMK).
    1. -

    Returns:The _id of the created data key document.

    • (value)
    • Decrypt an encrypted value.

    Parameters:

    1. - _value_ (Binary): The encrypted value, a[<code>Binary</code>]($c99850b71a0da5ec.md#bson.binary.Binary) with subtype 6.Returns:

    The decrypted BSON value.

    • encrypt(value, algorithm, key_id=None, key_alt_name=None)
    • Encrypt a BSON value with a given key and algorithm.

    Note that exactly one of key_id or key_alt_name must beprovided.

    Parameters:

    The encrypted value, a Binary with subtype 6.