[DRIVERS-2135] Add "explicit encryption" section to spec with description and examples Created: 07/Nov/19  Updated: 31/Mar/22

Status: Backlog
Project: Drivers
Component/s: Client Side Encryption
Fix Version/s: None

Type: Spec Change Priority: Major - P3
Reporter: Oleg Pudeyev (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
Driver Changes: Needed

 Description   

Based on my reading of CSE spec, there is no section which explains how explicit encryption works on a high level. There are multiple references to explicit encryption throughout the spec, but they appear to be side notes to descriptions of automatic encryption functionality. For a user who only wishes to configure explicit encryption, or for a driver which implements explicit encryption first, it is difficult to:

  • Identify what the minimum driver API is to provide explicit encryption feature to the user
  • Get a high level idea of how explicit encryption works across all of the components (driver, libmongocrypt, key vault)

It will be helpful to have a dedicated section to explicit encryption which will provide a high level description of the above in prose.



 Comments   
Comment by Oleg Pudeyev (Inactive) [ 07/Nov/19 ]

One specific use case: for each document in a collection, encrypt a particular field with a distinct (per-document) key. Encrypted field contains the key id.

Variation: documents in a collection are grouped according to some criteria, each group needs to use a distinct key.

Another use case: some aggregation queries are too complex for mongocryptd to parse, in this case user must manually encrypt/decrypt fields.

Another use case: dynamically determining encryption key to use in a query, or using complex expressions for the key, based on query expression when querying multiple fields which can be encrypted with different keys.

Generated at Thu Feb 08 08:24:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.