From 9f1d416879f289944c0266213a0451eb6ced9274 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Mon, 4 Nov 2024 11:37:35 -0500 Subject: [PATCH] DRIVERS-1016 clarify decryption does not need the key ID or algorithm. (#1695) --- .../client-side-encryption.md | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/source/client-side-encryption/client-side-encryption.md b/source/client-side-encryption/client-side-encryption.md index f8110ad8e5..326e5718ac 100644 --- a/source/client-side-encryption/client-side-encryption.md +++ b/source/client-side-encryption/client-side-encryption.md @@ -143,19 +143,19 @@ See also: One of the data formats of [BSON binary encrypted](../bson-binary-encrypted/binary-encrypted.md), representing an encoded BSON document containing encrypted ciphertext and metadata. -**FLE** +**Client-Side Field Level Encryption (CSFLE)** -FLE is the first version of Client-Side Field Level Encryption. FLE is almost entirely client-side with the exception of -server-side JSON schema. +CSFLE is the first version of In-Use Encryption. CSFLE is almost entirely client-side with the exception of server-side +JSON schema. -**Queryable Encryption** +**Queryable Encryption (QE)** -Queryable Encryption the second version of Client-Side Field Level Encryption. Data is encrypted client-side. Queryable -Encryption supports indexed encrypted fields, which are further processed server-side. +Queryable Encryption the second version of In-Use Encryption. Data is encrypted client-side. Queryable Encryption +supports indexed encrypted fields, which are further processed server-side. **In-Use Encryption** -Is an umbrella term describing the both FLE and Queryable Encryption. +Is an umbrella term describing the both CSFLE and Queryable Encryption. **encryptedFields** @@ -237,6 +237,7 @@ created_key_id = clientencryption.create_data_key("aws", opts) opts = EncryptOpts(key_id=created_key_id, algorithm="AEAD_AES_256_CBC_HMAC_SHA_512-Random") encrypted = clientencryption.encrypt("secret text", opts) +# Decryption does not require the key ID or algorithm. The ciphertext indicates the key ID and algorithm used. decrypted = clientencryption.decrypt(encrypted) ``` @@ -2223,17 +2224,17 @@ KMIP support in the MongoDB server is a precedent. The server supports `--kmipSe TLS options may be useful for the AWS, Azure, and GCP KMS providers in a case where the default trust store does not include the needed CA certificates. -### Why is it an error to have an FLE 1 and Queryable Encryption field in the same collection? +### Why is it an error to have an CSFLE and Queryable Encryption field in the same collection? -There is no technical limitation to having a separate FLE field and Queryable Encryption field in the same collection. -Prohibiting FLE and Queryable Encryption in the same collection reduces complexity. From the product perspective, a -random FLE field and a non-queryable Queryable Encryption field have the same behavior and similar security guarantees. -A deterministic FLE field leaks more information then a deterministic Queryable Encryption field. There is not a -compelling use case to use both FLE and Queryable Encryption in the same collection. +There is no technical limitation to having a separate CSFLE field and Queryable Encryption field in the same collection. +Prohibiting CSFLE and Queryable Encryption in the same collection reduces complexity. From the product perspective, a +random CSFLE field and a non-queryable Queryable Encryption field have the same behavior and similar security +guarantees. A deterministic CSFLE field leaks more information then a deterministic Queryable Encryption field. There is +not a compelling use case to use both CSFLE and Queryable Encryption in the same collection. ### Is it an error to set schemaMap and encryptedFieldsMap? -No. FLE and Queryable Encryption fields can coexist in different collections. The same collection cannot be in the +No. CSFLE and Queryable Encryption fields can coexist in different collections. The same collection cannot be in the `encryptedFieldsMap` and `schemaMap`. [libmongocrypt](#libmongocrypt) will error if the same collection is specified in a `schemaMap` and `encryptedFieldsMap`.