DOCSP-45366 Encryption #89
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for docs-mongoid ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
rustagir
suggested changes
Jan 16, 2025
source/security.txt
Outdated
| .. toctree:: | ||
| :caption: Secure Your Data | ||
|
|
||
| Client-Side Field Level Encryption </security/encryption> |
There was a problem hiding this comment.
S: consider shortening this to just In-Use Encryption to adhere to the TOC relabeling guidelines
source/security/encryption.txt
Outdated
| - Explicit encryption: Allows you to perform encrypted read and write operations | ||
| with specified encryption logic throughout your application. | ||
|
|
||
| This guide details how to set up CSFLE with automatic encryption. To learn more |
There was a problem hiding this comment.
Suggested change
| This guide details how to set up CSFLE with automatic encryption. To learn more | |
| This guide describes how to set up CSFLE with automatic encryption. To learn more |
source/security/encryption.txt
Outdated
Comment on lines
36
to
38
| about using explicit encryption, see the `Explicit Encryption guide | ||
| <https://www.mongodb.com/docs/ruby-driver/current/reference/in-use-encryption/client-side-encryption/#explicit-encryption>`__ | ||
| in the Ruby driver documentation. |
There was a problem hiding this comment.
Suggested change
| about using explicit encryption, see the `Explicit Encryption guide | |
| <https://www.mongodb.com/docs/ruby-driver/current/reference/in-use-encryption/client-side-encryption/#explicit-encryption>`__ | |
| in the Ruby driver documentation. | |
| about using explicit encryption, see the :ruby:`Explicit Encryption | |
| </reference/in-use-encryption/client-side-encryption/#explicit-encryption>` guide | |
| in the {+ruby-driver+} documentation. |
source/security/encryption.txt
Outdated
| Install Dependencies | ||
| -------------------- | ||
|
|
||
| To use CSFLE with {+odm+} you must first install the following dependencies: |
There was a problem hiding this comment.
Suggested change
| To use CSFLE with {+odm+} you must first install the following dependencies: | |
| To use CSFLE with {+odm+}, you must first install the following dependencies: |
source/security/encryption.txt
Outdated
Comment on lines
50
to
51
| The following sections provide details on how to install the preceding | ||
| dependencies. |
There was a problem hiding this comment.
Suggested change
| The following sections provide details on how to install the preceding | |
| dependencies. | |
| The following sections provide details on how to install these | |
| dependencies. |
source/security/encryption.txt
Outdated
Comment on lines
280
to
281
| You can rotate your encryption keys by using the ``rewrap_many_data_key`` Ruby | ||
| driver method. This method automatically decrypts multiple data encryption keys |
source/security/encryption.txt
Outdated
Comment on lines
287
to
291
| - A filter, used to specify which fields to rotate. If no data key matches the | ||
| given filter, no keys will be rotated. Omit the filter to rotate all keys in | ||
| your key vault collection. | ||
| - An object that represents a new CMK with which to re-encrypt the DEKs. Omit | ||
| this object to rotate the data keys by using their current CMKs. |
There was a problem hiding this comment.
Suggested change
| - A filter, used to specify which fields to rotate. If no data key matches the | |
| given filter, no keys will be rotated. Omit the filter to rotate all keys in | |
| your key vault collection. | |
| - An object that represents a new CMK with which to re-encrypt the DEKs. Omit | |
| this object to rotate the data keys by using their current CMKs. | |
| - Filter, used to specify which fields to rotate. If no data key matches the | |
| given filter, no keys will be rotated. Omit the filter to rotate all keys in | |
| your key vault collection. | |
| - Object that represents a new CMK with which to re-encrypt the DEKs. Omit | |
| this object to rotate the data keys by using their current CMKs. |
| include Mongoid::Document | ||
| include Mongoid::Timestamps | ||
|
|
||
| encrypt_with key_id: '<Your Data Encryption Key>' |
There was a problem hiding this comment.
Suggested change
| encrypt_with key_id: '<Your Data Encryption Key>' | |
| encrypt_with key_id: '<data encryption key>' |
Comment on lines
11
to
12
| # This field is encrypted using AEAD_AES_256_CBC_HMAC_SHA_512-Random | ||
| # algorithm. |
There was a problem hiding this comment.
Suggested change
| # This field is encrypted using AEAD_AES_256_CBC_HMAC_SHA_512-Random | |
| # algorithm. | |
| # This field is encrypted by using the | |
| # AEAD_AES_256_CBC_HMAC_SHA_512-Random algorithm |
Comment on lines
+92
to
+94
| # Print all documents in the collection. The first document is unencrypted, and | ||
| # the second is encrypted. | ||
| Patient.all.to_a |
There was a problem hiding this comment.
Q: does this code example mean that all returns all documents but querying only returns encrypted documents?
There was a problem hiding this comment.
Right. So apparently all isn't considered a query operation, the way I understood it
rustagir
approved these changes
Jan 17, 2025
| @@ -0,0 +1,320 @@ | |||
| .. _automatic-encryption: | |||
There was a problem hiding this comment.
S: include the product name in all anchors
Suggested change
| .. _automatic-encryption: | |
| .. _mongoid-automatic-encryption: |
There was a problem hiding this comment.
This was the ref from the old page, I just moved it over to this page just in case there are any external repos linking to the tag
Comment on lines
+192
to
+194
| To create a DEK in {+odm+}, you can use the | ||
| ``db:mongoid:encryption:create_data_key`` rake task, as shown in the following | ||
| example: |
There was a problem hiding this comment.
my experience has been that rake tasks are used commonly in rails apps. whereas installing the rake package to use on other frameworks such as sinatra is buggy and error prone
Comment on lines
+192
to
+194
| To create a DEK in {+odm+}, you can use the | ||
| ``db:mongoid:encryption:create_data_key`` rake task, as shown in the following | ||
| example: |
There was a problem hiding this comment.
but this might not be a hard rule, so fine to leave this out
source/security/encryption.txt
Outdated
| development: | ||
| clients: | ||
| default: | ||
| uri: <connection string> |
There was a problem hiding this comment.
Suggested change
| uri: <connection string> | |
| uri: "<connection string>" |
source/security/encryption.txt
Outdated
| Configure your Client | ||
| --------------------- | ||
|
|
||
| CSFLE requires additional configuration for your MongoDB client. To configure a |
There was a problem hiding this comment.
Suggested change
| CSFLE requires additional configuration for your MongoDB client. To configure a | |
| You must configure your MongoDB client to implement CSFLE. To configure a |
|
|
||
| # start-rewrap-keys | ||
| # Create a key vault client | ||
| key_vault_client = Mongo::Client.new('<Your connection URI>') |
There was a problem hiding this comment.
Suggested change
| key_vault_client = Mongo::Client.new('<Your connection URI>') | |
| key_vault_client = Mongo::Client.new('<connection string>') |
source/security/encryption.txt
Outdated
|
|
||
| You can encrypt existing data in a collection by reading and then writing back | ||
| all data with a CSFLE-enabled client. When doing so, ensure that all existing | ||
| data is the expected type and that empty values are not set as ``nil``. No newline at end of file |
There was a problem hiding this comment.
S: add an additional information section that links to relevant Server pages or Ruby driver pages. Can also add a todo to link to the config page as it includes some info about encryption settings i believe
There was a problem hiding this comment.
Good call, I meant to add that section but it slipped my mind
rustagir
added a commit
that referenced
this pull request
Jan 28, 2025
* DOCSP-42732: qs * fix * wip * remove action * NR suggestion * DOCSP-42732: qs download * wip * adapt for sinatra * vale fix * snooty landing page * MW PR fixes 1 * DOCSP-42733: atlas prep qs * MW PR fixes 1 * DOCSP-42735: configure cxn * small fix - vale * JS PR fixes 1 * DOCSP-44008: read/write sinatra quickstart * fixes * NR PR fixes 1 * DOCSP-43961: rails qs * vale * ordering * small fix * MW PR fixes 1 * small fixes * MW PR fixes 2 * DOCSP-44647: add to existing app * fix vale action * vale fixes * depth * MW PR fixes 1 * fixes * DOCSP-42745: interact with data drawer * tags * fix vale action * remove extra word Co-authored-by: Nora Reidy <nora.reidy@mongodb.com> * DOCSP-42753: specify query part 1 * vale * title * code edits * MW PR fixes 2 * DOCSP-44849: modify results * vale * JS PR fixes 1 * fix * fix * list fixes * MW PR fixes 1 * DOCSP-44954: scoping * add landing page * link * vale * highlighting * DOCSP-44821: specify a query pt 2 * MR PR fixes 1 * wip * wip * wip * small fixes * DOCSP-42767 Aggregation (#57) * DOCSP-42774: transactions * vale * link text * MW PR fixes 1 * MR PR fixes 1 * DOCSP-45306: model data drawer * DOCSP-45330: inheritance (WIP) * MR PR fixes 2 * try using roles * wip * vale * add label * fixes * fix * small fixes - MW * DOCSP-45358: documents * fix * wip * wip * DR tech review 1 * page fmt * page fmt * SA PR fixes 1 * MR PR fixes 1 * DR small fix Co-authored-by: Dmitry Rybakov <160598371+comandeo-mongo@users.noreply.github.com> * DOCSP-45360: nested attributes (#71) * DOCSP-45360: nested attributes * vale + fixes * fixes * NR PR fixes 1 * DOCSP-45362: text search (#72) * DOCSP-45362: text search * wip * vale * MM PR fixes 1 * DOCSP-45436 Field Behaviors page (#68) * DOCSP-45363: validation (#73) * DOCSP-45363: validation * keywords * wip * SA PR fixes 1 * DOCSP-44794 Field Types (#69) * DOCSP-45357 Sharding Configuration (#76) * DOCSP-42762: Indexes (#74) * DOCSP-45367 Associations pt. 1 (#79) * DOCSP-45368: Persistence Configuration (#77) * DOCSP-45361: callbacks (#75) * DOCSP-45361: callbacks * wip * wip * wip * NR PR fixes 1 * DOCSP-45364: CRUD pt 1 (#81) * checkpoint * checkpoint 2 * woohoo first pass * indent * Edits * updates * vale chekcs * RR PR fixes 1 * fix code file * code fixes * RM PR fixes 1 --------- Co-authored-by: rustagir <rea.rustagi@mongodb.com> * DOCSP-45110: queries subsections (#80) * DOCSP-45110: queries misc sections * wip: * vale * MR PR fixes 1 * GM PR fixes 1 * DOCSP-46072 Associations part 2 (#82) * DOCSP-46394: CRUD remaining sections (#83) * DOCSP-46394: CRUD remaining sections * vale fixes * JS PR fixes 1 * DOCSP-46213: bump to rails 8 and remove old tuts (#84) * DOCSP-45356: i&h + code doc (#86) * DOCSP-45356: i&h + code doc * remove contributing * vale fixes * link fix * vale fixes + RM comment * DOCSP-42770: release notes/whats new (#87) * DOCSP-42770: release notes/whats new * fixes * fixes * DOCSP-42773: api links (#88) * DOCSP-42773: api links * fix * link fixes * DOCSP-42772: compatibility (#90) * DOCSP-42772: compatibility * small fix * small fix * SA PR fixes 1 * delete files for old build system * column width adjustment * DOCSP-45366 Encryption (#89) * DOCSP-42741: config pages (#91) * DOCSP-42741: config * wip * wip * some vale fixes * RM PR fixes 1 * small fix * DOCSP-46555: rails integration (#92) * wip * DOCSP-46555: rails integration * RM PR fixes 1 * DOCSP-45359 External Resources (#94) * add additional resources page * edits * feedback * DOCSP-42743 Collection config (#95) * DOCSP-42730: landing page (#96) * DOCSP-42730: landing page * MW PR fixes 1 * small fix * small fix * small fix * DOCSP-46121: cleanup (#97) * cleanup * copy compat action * redirects * MW PR fixes 1 * add index section * change vs in redirects --------- Co-authored-by: Nora Reidy <nora.reidy@mongodb.com> Co-authored-by: Jordan Smith <45415425+jordan-smith721@users.noreply.github.com> Co-authored-by: Dmitry Rybakov <160598371+comandeo-mongo@users.noreply.github.com> Co-authored-by: Maya Raman <maya.raman19@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request Info
PR Reviewing Guidelines
JIRA - https://jira.mongodb.org/browse/DOCSP-45366
Staging - https://deploy-preview-89--docs-mongoid.netlify.app/security/encryption/
Self-Review Checklist