Clarify why deterministic/probabilistic encryption flavor is specified per operation

XMLWordPrintableJSON

    • Type: Spec Change
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Component/s: Client Side Encryption
    • None
    • Needed

      Currently the CSE spec mandates that the deterministic or probabilistic encryption is specified on a per-operation basis, as follows:

      opts = EncryptOpts(key_id=created_key_id,
    algorithm="AEAD_AES_256_CBC_HMAC_SHA_512-Random")
encrypted = clientencryption.encrypt("secret text", opts)

      Specifically, the choice to perform deterministic or probabilistic encryption is NOT made on ClientEncryption level.

      Can a rationale be added specifying why an application would use the same ClientEncryption object to encrypt some data in deterministic manner and some in probabilistic manner?

      Given that one of our current driver mantras is "no knobs", it seems that this option should have had a use case that caused it to be specified.

            Assignee:
            Unassigned
            Reporter:
            Oleg Pudeyev (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: