|
Currently the CSE spec mandates that the deterministic or probabilistic encryption is specified on a per-operation basis, as follows:
opts = EncryptOpts(key_id=created_key_id,
|
algorithm="AEAD_AES_256_CBC_HMAC_SHA_512-Random")
|
encrypted = clientencryption.encrypt("secret text", opts)
|
Specifically, the choice to perform deterministic or probabilistic encryption is NOT made on ClientEncryption level.
Can a rationale be added specifying why an application would use the same ClientEncryption object to encrypt some data in deterministic manner and some in probabilistic manner?
Given that one of our current driver mantras is "no knobs", it seems that this option should have had a use case that caused it to be specified.
|