Docs Menu
Docs Home
/
MongoDB Manual
/ / /

KeyVault.getKey()

On this page

  • Behavior
  • Example
KeyVault.getKey(UUID)

Gets a data encryption key with the specified UUID. The data encryption key must exist in the key vault associated to the database connection.

getKey() has the following syntax:

keyVault = db.getMongo().getKeyVault()
keyVault.getKey(UUID("<UUID String>"))

The UUID is a BSON binary data object with subtype 4.

Returns:Document representing a matching data encryption key.

Returns nothing if no key in the key vault has the specified UUID.

The mongo client-side field level encryption methods require a database connection with client-side field level encryption enabled. If the current database connection was not initiated with client-side field level encryption enabled, either:

The following example uses a locally managed KMS for the client-side field level encryption configuration.

Configuring client-side field level encryption for a locally managed key requires specifying a base64-encoded 96-byte string with no line breaks. The following operation generates a key that meets the stated requirements and loads it into the mongo shell:

TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")
mongosh --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"

Create the client-side field level encryption object using the generated local key string:

var ClientSideFieldLevelEncryptionOptions = {
"keyVaultNamespace" : "encryption.__dataKeys",
"kmsProviders" : {
"local" : {
"key" : BinData(0, TEST_LOCAL_KEY)
}
}
}

Use the Mongo() constructor to create a database connection with the client-side field level encryption options. Replace the mongodb://myMongo.example.net URI with the connection string URI of the target cluster.

encryptedClient = Mongo(
"mongodb://myMongo.example.net:27017/?replSetName=myMongo",
ClientSideFieldLevelEncryptionOptions
)

Retrieve the keyVault object and use the KeyVault.getKey() to retrieve a data encryption key using its UUID:

keyVault = encryptedClient.getKeyVault()
keyVault.getKey(UUID("b4b41b33-5c97-412e-a02b-743498346079"))

getKey() returns the data encryption key, with output similar to the following:

{
"_id" : UUID("b4b41b33-5c97-412e-a02b-743498346079"),
"keyMaterial" : BinData(0,"E+0jZKzA4YuE1lGmSVIy2mivqH4JxFo0yFATdxYX/s0YtMFsgVXyu7Bbn4IQ2gn7F/9JAPJFOxdQc5lN3AR+oX33ewVZsd63f3DN1zzcukqdR2Y+EeO7ekRxyRjdzMaNNrBNIv9Gn5LEJgWPSYkG8VczF7cNZnc1YmnR0tuDPNYfm0J7dCZuZUNWW3FCGRcdFx6AlXiCtXKNR97hJ216pQ=="),
"creationDate" : ISODate("2021-03-16T18:22:43.733Z"),
"updateDate" : ISODate("2021-03-16T18:22:43.733Z"),
"status" : 0, "version" : NumberLong(0),
"masterKey" : {
"provider" : "local"
},
"keyAltNames" : [
"alpha"
]
}

Back

KeyVault.deleteKey

On this page