In-Use Encryption¶
In-Use Encryption consists of two features:
Installation¶
Using In-Use Encryption in the C driver requires the dependency libmongocrypt. See the MongoDB Manual for libmongocrypt installation instructions.
Once libmongocrypt is installed, configure the C driver with -DENABLE_CLIENT_SIDE_ENCRYPTION=ON
to require In-Use Encryption be enabled.
$ cd mongo-c-driver
$ mkdir cmake-build && cd cmake-build
$ cmake -DENABLE_AUTOMATIC_INIT_AND_CLEANUP=OFF -DENABLE_CLIENT_SIDE_ENCRYPTION=ON ..
$ cmake --build . --target install
API¶
mongoc_client_encryption_t is used for explicit encryption and key management. mongoc_client_enable_auto_encryption() and mongoc_client_pool_enable_auto_encryption() is used to enable automatic encryption.
The Queryable Encryption and CSFLE features share much of the same API with some exceptions.
The supported algorithms documented in mongoc_client_encryption_encrypt_opts_set_algorithm() do not apply to both features.
mongoc_auto_encryption_opts_set_encrypted_fields_map() only applies to Queryable Encryption.
mongoc_auto_encryption_opts_set_schema_map() only applies to CSFLE.
Query Analysis¶
To support the automatic encryption feature, one of the following dependencies are required:
The
mongocryptd
executable. See the MongoDB Manual documentation: Install and Configure mongocryptdThe
crypt_shared
library. See the MongoDB Manual documentation: Automatic Encryption Shared Library
A mongoc_client_t or mongoc_client_pool_t configured with auto encryption will automatically try to load the crypt_shared
library. If loading the crypt_shared
library fails, the mongoc_client_t or mongoc_client_pool_t will try to spawn the mongocryptd
process from the application’s PATH
. To configure use of crypt_shared
and mongocryptd
see mongoc_auto_encryption_opts_set_extra().