[DRIVERS-2135] Add "explicit encryption" section to spec with description and examples Created: 07/Nov/19 Updated: 31/Mar/22 |
|
| Status: | Backlog |
| Project: | Drivers |
| Component/s: | Client Side Encryption |
| Fix Version/s: | None |
| Type: | Spec Change | Priority: | Major - P3 |
| Reporter: | Oleg Pudeyev (Inactive) | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Driver Changes: | Needed | ||||||||
| Description |
|
Based on my reading of CSE spec, there is no section which explains how explicit encryption works on a high level. There are multiple references to explicit encryption throughout the spec, but they appear to be side notes to descriptions of automatic encryption functionality. For a user who only wishes to configure explicit encryption, or for a driver which implements explicit encryption first, it is difficult to:
It will be helpful to have a dedicated section to explicit encryption which will provide a high level description of the above in prose. |
| Comments |
| Comment by Oleg Pudeyev (Inactive) [ 07/Nov/19 ] |
|
One specific use case: for each document in a collection, encrypt a particular field with a distinct (per-document) key. Encrypted field contains the key id. Variation: documents in a collection are grouped according to some criteria, each group needs to use a distinct key. Another use case: some aggregation queries are too complex for mongocryptd to parse, in this case user must manually encrypt/decrypt fields. Another use case: dynamically determining encryption key to use in a query, or using complex expressions for the key, based on query expression when querying multiple fields which can be encrypted with different keys. |