[DRIVERS-2051] Clarify why deterministic/probabilistic encryption flavor is specified per operation Created: 07/Nov/19  Updated: 31/Mar/22

Status: Backlog
Project: Drivers
Component/s: Client Side Encryption
Fix Version/s: None

Type: Spec Change Priority: Major - P3
Reporter: Oleg Pudeyev (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to DRIVERS-2107 Add rationale for algorithm being sep... Backlog
Driver Changes: Needed

 Description   

Currently the CSE spec mandates that the deterministic or probabilistic encryption is specified on a per-operation basis, as follows:

opts = EncryptOpts(key_id=created_key_id,
    algorithm="AEAD_AES_256_CBC_HMAC_SHA_512-Random")
encrypted = clientencryption.encrypt("secret text", opts)

Specifically, the choice to perform deterministic or probabilistic encryption is NOT made on ClientEncryption level.

Can a rationale be added specifying why an application would use the same ClientEncryption object to encrypt some data in deterministic manner and some in probabilistic manner?

Given that one of our current driver mantras is "no knobs", it seems that this option should have had a use case that caused it to be specified.



 Comments   
Comment by Oleg Pudeyev (Inactive) [ 07/Nov/19 ]

Use case: email is encrypted deterministically because need to query on it, password is encrypted probabilistically.

Generated at Thu Feb 08 08:24:36 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.