Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MONGOID-5588 Add automatic FLE documentation #5611

Merged
merged 9 commits into from
May 5, 2023
Merged

MONGOID-5588 Add automatic FLE documentation #5611

merged 9 commits into from
May 5, 2023

Conversation

comandeo
Copy link
Contributor

No description provided.

johnnyshields
johnnyshields reviewed Apr 24, 2023
View reviewed changes
docs/tutorials/automatic-encryption.txt Outdated
# This field is encrypted using AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic
# algorithm and using a different data key.
field :ssn, type: Integer, encrypt: {
deterministic: true, data_key_id: 'Vxr5m+5cQISjDOruzZgE0w=='
Copy link
Contributor

@johnnyshields johnnyshields Apr 24, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

encrypt_with key_id: ___

# vs

field :ssn, type: Integer, encrypt: { deterministic: true, data_key_id: ___ }

It would be good to use either key_id or data_key_id consistently.

Copy link
Contributor Author

@comandeo comandeo Apr 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, I wonder how I could have missed that. Thank you!

@johnnyshields
Copy link
Contributor

johnnyshields commented Apr 24, 2023
edited
Loading

Several questions, which I think should be covered in the tutorial:

  1. How do I migrate an existing field with unencrypted data in the DB to use encryption? (If it's not possible to encrypt in-place, perhaps the recommendation can be to make a new field which we must copy the data.)

    • Same question also applies to rotating encryption keys, e.g. if a key becomes compromised.

  2. How do I query for encrypted data in various fields? What sorts of queries are supported--only exact match? How about different data types (String, Integer, Time, etc.)

  3. If I want to encrypt a string or decrypt a BSON::Binary value, how can I do that? In my existing gem I can do Mongoid::EncryptedString.encrypt("foobar") / .decrypt("____")

@alexbevi
Copy link
Contributor

alexbevi commented May 1, 2023

@johnnyshields

How do I migrate an existing field with unencrypted data in the DB to use encryption? (If it's not possible to encrypt in-place, perhaps the recommendation can be to make a new field which we must copy the data.)

Same question also applies to rotating encryption keys, e.g. if a key becomes compromised.

Regarding the first point, we plan on covering this content in a more targeted fashion (ex: blog post) as this is an activity that isn't limited to just Mongoid. We'll link to this from the Mongoid docs once ready though.

For questions 2 and 3 we'll see if we can address that still.

@alexbevi
Copy link
Contributor

alexbevi commented May 2, 2023

@comandeo first pass completed, let me know what you think

@comandeo comandeo marked this pull request as ready for review May 4, 2023 07:29
@comandeo comandeo requested review from jamis and alexbevi May 4, 2023 07:29
@comandeo comandeo merged commit 85ad705 into mongodb:master May 5, 2023
@comandeo comandeo deleted the 5558-document-fle branch May 5, 2023 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnnyshields johnnyshields johnnyshields left review comments

@alexbevi alexbevi alexbevi approved these changes

@jamis jamis jamis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@comandeo @johnnyshields @alexbevi @jamis @comandeo-mongo