[JAVA-4046] GridFS & Client-Side Field Level Encryption Created: 15/Mar/21 Updated: 27/Oct/23 Resolved: 19/Apr/21 |
|
| Status: | Closed |
| Project: | Java Driver |
| Component/s: | Client Side Encryption, GridFS |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Laurent Charlois | Assignee: | Jeffrey Yemin |
| Resolution: | Gone away | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
| Comments |
| Comment by Backlog - Core Eng Program Management Team [ 19/Apr/21 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
There hasn't been any recent activity on this ticket, so we're resolving it. Thanks for reaching out! Please feel free to comment on this if you're able to provide more information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Jeffrey Yemin [ 02/Apr/21 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Hi laurent.charlois@neotys.com Thanks for clarifying your use case. Now that I understand better, I have a workaround for you to consider that I think will allow you to do what you need without waiting for any changes in the driver. To encrypt a file:
Then to decrypt a file:
This is what it would look like in Java:
Please have a look and let me know if this would work for you. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Laurent Charlois [ 02/Apr/21 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Hi Jeffrey,
Our application is multi-tenant. We want to use one master key per tenant, and we want to use a master key provided by the tenant. Customer A, use database A.
My understanding of the feature, is that in automatic mode you need to specify the configuration to retrieve the master key from the KMS when you create the mongodb client. In this way, if we want to be able to use automatic encryption mode, we need to use a different mongodb client for each customer.
Let me kow if it's still unclear. Laurent. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Jeffrey Yemin [ 31/Mar/21 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Hi laurent.charlois@neotys.com
Can you clarify what you mean by that statement? When you say multiple database, do you mean multiple logical databases in a single deployment (e.g. a single replica set or sharded cluster), or multiple deployments. If the former, I'm not clear why you'd need a new MongoClient each time, and if the latter, it's unavoidable. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Laurent Charlois [ 24/Mar/21 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Thanks for the answer. We are looking to encrypt the file data (field `data` of chunk documents). I was able to make it work using the CSFLE automatic mode, but my need (due to our design) is to be able to use manual mode instead. Laurent. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Ross Lawley [ 24/Mar/21 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
HI laurent.charlois@neotys.com, Thanks for ticket and apologies for the slow response. Our GridFS Implementation is based on the GridFS Specification. Any changes to our implementation would require changes to the specification first before being implemented in the drivers. What information are you looking to be encrypted / decrypted ? The file data itself or the meta data? Ross |