Create a new ClientEncryption object

Description

final public MongoDB\Driver\Manager::createClientEncryption(array $options): MongoDB\Driver\ClientEncryption

Constructs a new MongoDB\Driver\ClientEncryption object with the specified options.

Parameters

options

**options**
Option	Type	Description
keyVaultClient	MongoDB\Driver\Manager	The Manager used to route data key queries to a separate MongoDB cluster. By default, the current Manager and cluster is used.
keyVaultNamespace	string	A fully qualified namespace (e.g. `"databaseName.collectionName"`) denoting the collection that contains all data keys used for encryption and decryption. This option is required.
kmsProviders	array	A document containing the configuration for one or more KMS providers, which are used to encrypt data keys. Supported providers include `"aws"`, `"azure"`, `"gcp"`, `"kmip"`, and `"local"` and at least one must be specified. The format for `"aws"` is as follows: aws: { accessKeyId: <string>, secretAccessKey: <string>, sessionToken: <optional string> } The format for `"azure"` is as follows: azure: { tenantId: <string>, clientId: <string>, clientSecret: <string>, identityPlatformEndpoint: <optional string> // Defaults to "login.microsoftonline.com" } The format for `"gcp"` is as follows: gcp: { email: <string>, privateKey: <base64 string>\|<MongoDB\BSON\Binary>, endpoint: <optional string> // Defaults to "oauth2.googleapis.com" } The format for `"kmip"` is as follows: kmip: { endpoint: <string> } The format for `"local"` is as follows: local: { // 96-byte master key used to encrypt/decrypt data keys key: <base64 string>\|<MongoDB\BSON\Binary> }
tlsOptions	array	A document containing the TLS configuration for one or more KMS providers. Supported providers include `"aws"`, `"azure"`, `"gcp"`, and `"kmip"`. All providers support the following options: <provider>: { tlsCaFile: <optional string>, tlsCertificateKeyFile: <optional string>, tlsCertificateKeyFilePassword: <optional string>, tlsDisableOCSPEndpointCheck: <optional bool> }

Return Values

Returns a new MongoDB\Driver\ClientEncryption instance.

Errors/Exceptions

Throws MongoDB\Driver\Exception\InvalidArgumentException on argument parsing errors.
Throws MongoDB\Driver\Exception\RuntimeException if the extension was compiled without libmongocrypt support

Changelog

Version Description

PECL mongodb 1.16.0

Version	Description
PECL mongodb 1.16.0	The AWS KMS provider for client-side encryption now accepts a `"sessionToken"` option, which can be used to authenticate with temporary AWS credentials.
PECL mongodb 1.12.0	KMIP is now supported as a KMS provider for client-side encryption and may be configured in the `"kmsProviders"` option. Added the `"tlsOptions"` option.
PECL mongodb 1.10.0	Azure and GCP are now supported as KMS providers for client-side encryption and may be configured in the `"kmsProviders"` option. Base64-encoded strings are now accepted as an alternative to MongoDB\BSON\Binary for options within `"kmsProviders"`.

The AWS KMS provider for client-side encryption now accepts a "sessionToken" option, which can be used to authenticate with temporary AWS credentials.

PECL mongodb 1.12.0

KMIP is now supported as a KMS provider for client-side encryption and may be configured in the "kmsProviders" option.

Added the "tlsOptions" option.

PECL mongodb 1.10.0 Azure and GCP are now supported as KMS providers for client-side encryption and may be configured in the "kmsProviders" option. Base64-encoded strings are now accepted as an alternative to MongoDB\BSON\Binary for options within "kmsProviders".

MongoDB\Driver\Manager::createClientEncryption

Description

Parameters

Return Values

Errors/Exceptions

Changelog

See Also