# MongoDB Field Level Encryption Demo

In [1]:
import pymongo
from pymongo import MongoClient
from pymongo.encryption import ClientEncryption
from bson import Binary
import pymongocrypt
import base64
from bson.codec_options import DEFAULT_CODEC_OPTIONS

In [2]:
atlas = "mongodb+srv://demo:zuvCE2QqnGrJP2ds@platodemo.aagmh.mongodb.net/"

### General Settings:

Documentation: https://docs.mongodb.com/ecosystem/use-cases/client-side-field-level-encryption-guide/

#### AWS KMS (Not Verified Yet):

In [None]:
kms_providers = {
    "aws" : {
        "accessKeyId" : 'AWS_ACCESS_KEY_ID',
        "secretAccessKey" : 'AWS_SECRET_ACCESS_KEY'
    }
}

ATTENTION: variable will be overriden if not disabled further down!

#### LOCAL KMS:

Generate CMK Example Shell Command: head -c 96 /dev/urandom | base64 > key.txt

In [3]:
cmk = base64.b64decode("IkhJDuh1kQXt7cNlrBkKEMpV/jbpUERloqPGCB0WaNhFC7Ig4z1X2dDwv6XByMlrRyadd3MEC+BdcY8D9cadCgvHe3MVa8o1m00+xcE4KDFJaID/FS1rwZKRPK3KfezP")

In [4]:
kms_providers = { "local" : { "key" : cmk } }

#### Keystore Namespace:

In [5]:
keyDatabase = 'hr'
keyCollection = 'dataKeys'
key_vault_namespace = keyDatabase + '.' + keyCollection

### Create Data Encryption Keys:

In [6]:
keyVaultClient = pymongo.MongoClient("127.0.0.1")

In [7]:
keyVault = ClientEncryption(kms_providers, key_vault_namespace, keyVaultClient, DEFAULT_CODEC_OPTIONS)

Create two data encryption keys in the keys collection:

In [8]:
keyVault.create_data_key("local", key_alt_names=["key1"])

Binary(b'5\xdcx\xac\xc3ED\xf8\xa7\x94\x0f\xac\xf1@Qt', 4)

In [9]:
keyVault.create_data_key("local", key_alt_names=["key2"])

Binary(b'\x84#\x805\x93\x0fH\xa2\x8eq\x83\xfc\x98\x9a,9', 4)

### Create Auto-Encryption Schema:

Retrieve the key _id to be referenced in the schema_map:

In [10]:
keyVaultClient = pymongo.MongoClient("127.0.0.1")

In [11]:
keyDb = keyVaultClient[keyDatabase]
key1 = keyDb[keyCollection].find_one({'keyAltNames':'key1'})['_id']
key2 = keyDb[keyCollection].find_one({'keyAltNames':'key2'})['_id']

Define the encryption schema:

In [12]:
schema_map = {
    "hr.employees":
    {
        'bsonType': 'object',
        'encryptMetadata': {
            'keyId': [key1],
            'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
            },
        'properties': {
            'ssn': {
                'encrypt': {
                    'bsonType': 'string'
                    }
                },
            'position': {
                'bsonType': 'object',
                'encryptMetadata': {
                    'keyId': [key2],
                    'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'
                    },
                'properties': {
                    'compensation': {
                        'encrypt': {}
                        }
                }}
            }
        }
    }

Configure the field level auto encryption client:

In [17]:
fleOptions = pymongo.encryption_options.AutoEncryptionOpts(kms_providers, key_vault_namespace, key_vault_client=keyVaultClient, schema_map=schema_map, bypass_auto_encryption=False, mongocryptd_uri='mongodb://localhost:27020', mongocryptd_bypass_spawn=False, mongocryptd_spawn_path='mongocryptd', mongocryptd_spawn_args=None)

Initialise the secured client:

In [18]:
autoEncClient = pymongo.MongoClient(atlas,auto_encryption_opts = fleOptions)

### Insert Data

As defined in the schema_map the field 'ssn' and 'compensation' will be encrypted.

In [19]:
employee = {
    'name': 'John Doe',
    'address': {
        'street': '1234 Main Street',
        'city': 'MongoDBVille',
        'zip': 99999
    },
    'phone': '949-555-1212',
    'ssn': '123-45-6789',
    'position': {'compensation': 1234}
}

In [20]:
db = autoEncClient.hr
db.employees.insert_one(employee)

<pymongo.results.InsertOneResult at 0x1114b70c0>

In [21]:
db.employees.update_one({'ssn':'123-45-6789'},{'$set':{'position.compensation':1000}})

<pymongo.results.UpdateResult at 0x110b8b740>

### Show Decrypted Data

Deterministic encryption allows to find encrypted data like you are used to with equality matches:

In [22]:
db = autoEncClient.hr
db.employees.find_one({'ssn': '123-45-6789'})

{'_id': ObjectId('60e2db12b034b1caf6a45612'),
 'name': 'John Doe',
 'address': {'street': '1234 Main Street',
  'city': 'MongoDBVille',
  'zip': 99999},
 'phone': '949-555-1212',
 'ssn': '123-45-6789',
 'position': {'compensation': 1000}}

### Show Encrypted Data

Clients without access to the keystore can only retrieve encrypted data values and cannot search for encrypted fields.

In [23]:
noEncClient = pymongo.MongoClient(atlas)
db = noEncClient.hr
db.employees.find_one({'ssn': '123-45-6789'})

In [24]:
db.employees.find_one({'name': 'John Doe'})

{'_id': ObjectId('60e2db12b034b1caf6a45612'),
 'name': 'John Doe',
 'address': {'street': '1234 Main Street',
  'city': 'MongoDBVille',
  'zip': 99999},
 'phone': '949-555-1212',
 'ssn': Binary(b'\x015\xdcx\xac\xc3ED\xf8\xa7\x94\x0f\xac\xf1@Qt\x02\xd4\xe0\xf8\xb2M\xc8\xe9\x8e\x01(D\xe6G\xaa\xbe\xcfRe!X\x0f\xb4%D(\n<\x85\xcbG\xd8\x0b\xbd\xd0C\xd0\x9do\n\x8a\x87\xecS0\xe8HA\x9a\xd2\x1c\x970+\x96\xa3\xe2\xf1#\xc9\x08\xee\xeed\xc5\x01\x8d\xdd\xf3$\xc1\xa5Sr\xd2q\x15=EG5', 6),
 'position': {'compensation': Binary(b'\x02\x84#\x805\x93\x0fH\xa2\x8eq\x83\xfc\x98\x9a,9\x10\x8fG\x8c\x13\xcc\x96\xe6\x19M\xc8":\xab\t\xa1\t\rY\xa5\x0e\xb2\x14\xad\xad\xd8.\x19%\x86\xbd\xb5\x82_\x87|\x10G^\xee\x0e\x83\xbd7.\xda\xfcv\x1d+)%\xf1\xa3\nSh\x85\xc8\t\x1e, \xd0\xfb', 6)}}

### Cleanup Environment

In [None]:
cleanClient = pymongo.MongoClient("127.0.0.1")
cleanClient.drop_database(keyDatabase)