encryption_options – Support for automatic client side encryption

Support for automatic client side encryption.

Support for client side encryption is in beta. Backwards-breaking changes may be made before the final release.

class pymongo.encryption_options.AutoEncryptionOpts(kms_providers, key_vault_namespace, key_vault_client=None, schema_map=None, bypass_auto_encryption=False, mongocryptd_uri='mongodb://localhost:27020', mongocryptd_bypass_spawn=False, mongocryptd_spawn_path='mongocryptd', mongocryptd_spawn_args=None)

Options to configure automatic encryption.

Automatic encryption is an enterprise only feature that only applies to operations on a collection. Automatic encryption is not supported for operations on a database or view and will result in error. To bypass automatic encryption (but enable automatic decryption), set bypass_auto_encryption=True in AutoEncryptionOpts.

Explicit encryption/decryption and automatic decryption is a community feature. A MongoClient configured with bypassAutoEncryption=true will still automatically decrypt.

Note

Support for client side encryption is in beta. Backwards-breaking changes may be made before the final release.

Parameters:

  • kms_providers: Map of KMS provider options. Two KMS providers are supported: “aws” and “local”. The kmsProviders map values differ by provider:

    • aws: Map with “accessKeyId” and “secretAccessKey” as strings. These are the AWS access key ID and AWS secret access key used to generate KMS messages.
    • local: Map with “key” as a 96-byte array or string. “key” is the master key used to encrypt/decrypt data keys. This key should be generated and stored as securely as possible.

  • key_vault_namespace: The namespace for the key vault collection. The key vault collection contains all data keys used for encryption and decryption. Data keys are stored as documents in this MongoDB collection. Data keys are protected with encryption by a KMS provider.

  • key_vault_client (optional): By default the key vault collection is assumed to reside in the same MongoDB cluster as the encrypted MongoClient. Use this option to route data key queries to a separate MongoDB cluster.

  • schema_map (optional): Map of collection namespace (“db.coll”) to JSON Schema. By default, a collection’s JSONSchema is periodically polled with the listCollections command. But a JSONSchema may be specified locally with the schemaMap option.

    Supplying a `schema_map` provides more security than relying on JSON Schemas obtained from the server. It protects against a malicious server advertising a false JSON Schema, which could trick the client into sending unencrypted data that should be encrypted.

    Schemas supplied in the schemaMap only apply to configuring automatic encryption for client side encryption. Other validation rules in the JSON schema will not be enforced by the driver and will result in an error.

  • bypass_auto_encryption (optional): If True, automatic encryption will be disabled but automatic decryption will still be enabled. Defaults to False.

  • mongocryptd_uri (optional): The MongoDB URI used to connect to the local mongocryptd process. Defaults to 'mongodb://localhost:27020'.

  • mongocryptd_bypass_spawn (optional): If True, the encrypted MongoClient will not attempt to spawn the mongocryptd process. Defaults to False.

  • mongocryptd_spawn_path (optional): Used for spawning the mongocryptd process. Defaults to 'mongocryptd' and spawns mongocryptd from the system path.

  • mongocryptd_spawn_args (optional): A list of string arguments to use when spawning the mongocryptd process. Defaults to ['--idleShutdownTimeoutSecs=60']. If the list does not include the idleShutdownTimeoutSecs option then '--idleShutdownTimeoutSecs=60' will be added.

New in version 3.9.