Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2051

Clarify why deterministic/probabilistic encryption flavor is specified per operation

    XMLWordPrintableJSON

Details

    • Icon: Spec Change Spec Change
    • Resolution: Unresolved
    • Icon: Major - P3 Major - P3
    • None
    • Client Side Encryption
    • None
    • Needed

    Description

      Currently the CSE spec mandates that the deterministic or probabilistic encryption is specified on a per-operation basis, as follows:

      opts = EncryptOpts(key_id=created_key_id,
          algorithm="AEAD_AES_256_CBC_HMAC_SHA_512-Random")
      encrypted = clientencryption.encrypt("secret text", opts)
      

      Specifically, the choice to perform deterministic or probabilistic encryption is NOT made on ClientEncryption level.

      Can a rationale be added specifying why an application would use the same ClientEncryption object to encrypt some data in deterministic manner and some in probabilistic manner?

      Given that one of our current driver mantras is "no knobs", it seems that this option should have had a use case that caused it to be specified.

      Attachments

        Activity

          People

            Unassigned Unassigned
            oleg.pudeyev@mongodb.com Oleg Pudeyev (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: