encryption_options – Support for automatic client side encryption

encryption_options – Support for automatic client side encryption

Support for automatic client side encryption.

Support for client side encryption is in beta. Backwards-breaking changesmay be made before the final release.

class pymongo.encryptionoptions.AutoEncryptionOpts(_kms_providers, key_vault_namespace, key_vault_client=None, schema_map=None, bypass_auto_encryption=False, mongocryptd_uri='mongodb://localhost:27020', mongocryptd_bypass_spawn=False, mongocryptd_spawn_path='mongocryptd', mongocryptd_spawn_args=None)
Options to configure automatic encryption.

Automatic encryption is an enterprise only feature that onlyapplies to operations on a collection. Automatic encryption is notsupported for operations on a database or view and will result inerror. To bypass automatic encryption (but enable automaticdecryption), set bypass_auto_encryption=True inAutoEncryptionOpts.

Explicit encryption/decryption and automatic decryption is acommunity feature. A MongoClient configured withbypassAutoEncryption=true will still automatically decrypt.

Note

Support for client side encryption is in beta.Backwards-breaking changes may be made before the final release.

Parameters:

kms_providers: Map of KMS provider options. Two KMS providersare supported: “aws” and “local”. The kmsProviders map valuesdiffer by provider:

aws: Map with “accessKeyId” and “secretAccessKey” as strings.These are the AWS access key ID and AWS secret access key usedto generate KMS messages.
local: Map with “key” as a 96-byte array or string. “key”is the master key used to encrypt/decrypt data keys. This keyshould be generated and stored as securely as possible.

key_vault_namespace: The namespace for the key vault collection.The key vault collection contains all data keys used for encryptionand decryption. Data keys are stored as documents in this MongoDBcollection. Data keys are protected with encryption by a KMSprovider.
key_vault_client (optional): By default the key vault collectionis assumed to reside in the same MongoDB cluster as the encryptedMongoClient. Use this option to route data key queries to aseparate MongoDB cluster.
schema_map (optional): Map of collection namespace (“db.coll”) toJSON Schema. By default, a collection’s JSONSchema is periodicallypolled with the listCollections command. But a JSONSchema may bespecified locally with the schemaMap option.

Supplying a schema_map provides more security than relying onJSON Schemas obtained from the server. It protects against amalicious server advertising a false JSON Schema, which could trickthe client into sending unencrypted data that should beencrypted.

Schemas supplied in the schemaMap only apply to configuringautomatic encryption for client side encryption. Other validationrules in the JSON schema will not be enforced by the driver andwill result in an error.

bypass_auto_encryption (optional): If True, automaticencryption will be disabled but automatic decryption will still beenabled. Defaults to False.
mongocryptd_uri (optional): The MongoDB URI used to connectto the local mongocryptd process. Defaults to'mongodb://localhost:27020'.
mongocryptd_bypass_spawn (optional): If True, the encryptedMongoClient will not attempt to spawn the mongocryptd process.Defaults to False.
mongocryptd_spawn_path (optional): Used for spawning themongocryptd process. Defaults to 'mongocryptd' and spawnsmongocryptd from the system path.
mongocryptd_spawn_args (optional): A list of string arguments touse when spawning the mongocryptd process. Defaults to['—idleShutdownTimeoutSecs=60']. If the list does not includethe idleShutdownTimeoutSecs option then'—idleShutdownTimeoutSecs=60' will be added.

New in version 3.9.