如何在MongoDB客户端端字段级加密中维护一致的加密密钥?

huangapple go评论86阅读模式
英文:

How to maintain a consistent encryption key in MongoDB client-side field level encryption?

问题

我正在使用MongoDB客户端字段级加密来加密和解密数据。然而,我注意到每次执行程序时,原始二进制密钥都会发生变化。这使得我很难检索先前加密的数据,因为我无法使用新密钥解密它。

在MongoDB中,有没有一种方法可以保持客户端字段级加密的一致加密密钥?如果有,我该如何做到?

以下是相关链接:

我正在尝试在我的MongoDB Community项目中实现客户端字段级加密,以在将文档存储到数据库之前加密其中某些字段,并在从数据库检索时解密它们。

我一直在按照MongoDB的文档进行操作,并成功地在程序的第一次执行期间加密和解密数据。然而,我注意到每次再次运行程序时,密钥都会发生变化,而我希望保持密钥不变。

英文:

I am using MongoDB client-side field level encryption to encrypt and decrypt data. However, I noticed that every time I execute the program, the primitive binary key changes. This makes it difficult for me to retrieve previously encrypted data because I cannot decrypt it using the new key.

Is there a way to maintain a consistent encryption key for client-side field level encryption in MongoDB? If so, how can I do it?

<https://www.mongodb.com/docs/manual/core/csfle/fundamentals/manual-encryption/#std-label-csfle-fundamentals-manual-encryption>

https://go.dev/play/p/6W8e0OiPV2L

I'm trying to implement client-side field level encryption in my MongoDB Community project to encrypt certain fields in my documents before storing them in the database, and then decrypt them when I retrieve them from the database.

I've been following the MongoDB documentation and was able to successfully encrypt and decrypt the data during the first execution of my program. However, I noticed that the key keeps changing every time I run the program again, and I want to keep the key stationary.

答案1

得分: 1

这些行应该被移除:

// Drop the Key Vault Collection in case you created this collection
// in a previous run of this application.
if err = Client.Database(keyVaultDb).Collection(keyVaultColl).Drop(context.TODO()); err != nil {
	log.Fatalf("Collection.Drop error: %v", err)
}

而以下行只有在密钥尚不存在时才需要:

dataKeyID, err := clientEnc.CreateDataKey(context.TODO(), provider, dataKeyOpts)
if err != nil {
	log.Fatalf("CreateDataKey error: %v", err)
}

也许可以先调用clientEnc.GetKeyByAltName来检查密钥是否存在。

当你说"the primitive binary key changes"时,我认为你指的是数据加密密钥(DEK)的变化。这是由于删除存储DEK的集合所引起的。

参考Keys and Key Vaults

客户主密钥(CMK)是用于加密数据加密密钥(DEK)的密钥....

数据加密密钥(DEK)是用于加密MongoDB文档中的字段的密钥。您将数据加密密钥加密存储在密钥保管库集合中,使用的是您的CMK....

如果删除数据加密密钥(DEK),使用该DEK加密的所有字段将永久无法读取。

如果删除CMK,使用使用该CMK加密的DEK加密的所有字段将永久无法读取。

英文:

These lines should be removed:

// Drop the Key Vault Collection in case you created this collection
// in a previous run of this application.
if err = Client.Database(keyVaultDb).Collection(keyVaultColl).Drop(context.TODO()); err != nil {
	log.Fatalf(&quot;Collection.Drop error: %v&quot;, err)
}

And the following lines are needed only when the key does not exist yet:

dataKeyID, err := clientEnc.CreateDataKey(context.TODO(), provider, dataKeyOpts)
if err != nil {
	log.Fatalf(&quot;CreateDataKey error: %v&quot;, err)
}

Maybe do a clientEnc.GetKeyByAltName call first to check whether the key exists.

By saying "the primitive binary key changes", I think you meant the Data Encryption Key (DEK) changes. That's caused by the dropping of the collection that stores the DEK.

See Keys and Key Vaults:

> A Customer Master Key (CMK) is the key you use to encrypt your Data Encryption Keys (DEK)....
>
> A Data Encryption Key (DEK) is the key you use to encrypt the fields in your MongoDB documents. You store your Data Encryption Key in your Key Vault collection encrypted with your CMK....
>
> If you delete a Data Encryption Key (DEK), all fields encrypted with that DEK become permanently unreadable.
>
> If you delete a CMK, all fields encrypted with DEKs encrypted with that CMK become permanently unreadable.

huangapple
  • 本文由 发表于 2023年4月11日 04:08:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/75980343.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定