Mongodb auto encryption supports human readable key names - keyAltName attribute. When creating a data key we can assign one or more additional names for the data key. This can be used to dynamically assign data keys at runtime. Basically, we can indicate which field of the document contains the altName of the data key to encrypt the document - https://www.mongodb.com/docs/manual/core/csfle/fundamentals/manage-keys/#manage-a-data-encryption-key-s-alternate-name for more details.

This feature should be available in Mongoid with two additions to the existing implementation:

1. The create_data_key rake task should allow a user to specify the key name. If the name is not specified, it might be generated automatically
2. The encrypt_with class level macro and encrypt macro on a field definition should accept key_name_field attribute (mutually exclusive with key_id). This attribute should be taken in consideration when generating encryption schema.

This Ruby code:

class Person
  include Mongoid::Document

  field :name, type: String, encrypt: {
    deterministic: false,
    key_name_field: :key_name
  }
end

should generate the following schema:

{
  "<database>.people": {
    "bsonType": "object",
    "properties": {
      "name": {
        "encrypt": {
          "bsonType": "string",
          "keyId": "/key_name",
          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
        }
      }
    }
  }
}