(mongodb >=1.7.0)
MongoDB\Driver\Manager::createClientEncryption — Create a new ClientEncryption object
$options
): MongoDB\Driver\ClientEncryptionConstructs a new MongoDB\Driver\ClientEncryption object with the specified options.
options
Option | Type | Description |
---|---|---|
keyVaultClient | MongoDB\Driver\Manager | The Manager used to route data key queries to a separate MongoDB cluster. By default, the current Manager and cluster is used. |
keyVaultNamespace | string | A fully qualified namespace (e.g. "databaseName.collectionName" ) denoting the collection that contains all data keys used for encryption and decryption. This option is required. |
kmsProviders | array |
A document containing the configuration for one or more KMS providers, which are used to encrypt data keys. Supported providers include
The format for aws: { accessKeyId: <string>, secretAccessKey: <string>, sessionToken: <optional string> }
The format for azure: { tenantId: <string>, clientId: <string>, clientSecret: <string>, identityPlatformEndpoint: <optional string> // Defaults to "login.microsoftonline.com" }
The format for gcp: { email: <string>, privateKey: <base64 string>|<MongoDB\BSON\Binary>, endpoint: <optional string> // Defaults to "oauth2.googleapis.com" }
The format for kmip: { endpoint: <string> }
The format for local: { // 96-byte master key used to encrypt/decrypt data keys key: <base64 string>|<MongoDB\BSON\Binary> } |
tlsOptions | array |
A document containing the TLS configuration for one or more KMS providers. Supported providers include <provider>: { tlsCaFile: <optional string>, tlsCertificateKeyFile: <optional string>, tlsCertificateKeyFilePassword: <optional string>, tlsDisableOCSPEndpointCheck: <optional bool> } |
Returns a new MongoDB\Driver\ClientEncryption instance.
Version | Description |
---|---|
PECL mongodb 1.16.0 |
The AWS KMS provider for client-side encryption now accepts a
|
PECL mongodb 1.12.0 |
KMIP is now supported as a KMS provider for client-side encryption and
may be configured in the
Added the |
PECL mongodb 1.10.0 |
Azure and GCP are now supported as KMS providers for client-side
encryption and may be configured in the
"kmsProviders" option. Base64-encoded strings are now
accepted as an alternative to MongoDB\BSON\Binary
for options within "kmsProviders" .
|