Module: Mongoid::Tasks::Encryption

Extended by:
Encryption
Included in:
Encryption
Defined in:
lib/mongoid/tasks/encryption.rb

Overview

This module contains helper methods for data encryption.

Instance Method Summary collapse

Instance Method Details

#create_data_key(client_name: nil, kms_provider_name: nil, key_alt_name: nil) ⇒ Hash

Create a data encryption key for the given kms provider using the auto_encryption_options from the client’s configuration.

Parameters:

  • kms_provider_name (String | nil) (defaults to: nil)

    The name of the kms provider to use. If not provided, the first provider in the client’s auto_encryption_options will be used.

  • client_name (String | nil) (defaults to: nil)

    The name of the client to take auto_encryption_options from. If not provided, the default client will be used.

  • key_alt_name (String | nil) (defaults to: nil)

    The alternate name of the key.

Returns:

  • (Hash)

    A hash containing the key id as :key_id, kms provider name as :kms_provider, and key vault namespace as :key_vault_namespace.



24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
 
# File 'lib/mongoid/tasks/encryption.rb', line 24

def create_data_key(client_name: nil, kms_provider_name: nil, key_alt_name: nil)
  kms_provider_name, kms_providers, key_vault_namespace = prepare_arguments(
    kms_provider_name,
    client_name
  )
  key_vault_client = Mongoid::Clients.default.with(database: key_vault_namespace.split('.').first)
  client_encryption = Mongo::ClientEncryption.new(
    key_vault_client,
    key_vault_namespace: key_vault_namespace,
    kms_providers: kms_providers
  )
  client_encryption_opts = {}.tap do |opts|
    opts[:key_alt_names] = [key_alt_name] if key_alt_name
  end
  data_key_id = client_encryption.create_data_key(kms_provider_name, client_encryption_opts)
  {
    key_id: Base64.strict_encode64(data_key_id.data),
    kms_provider: kms_provider_name,
    key_vault_namespace: key_vault_namespace,
    key_alt_name: key_alt_name
  }.compact
end