Options to configure automatic client-side field level encryption. Automatic client-side field level encryption requires MongoDB >=4.2 enterprise or a MongoDB >=4.2 Atlas cluster. Automatic encryption is not supported for operations on a database or view and will result in
(
self,
kms_providers: Mapping[str, Any],
key_vault_namespace: str,
key_vault_client: Optional[_AgnosticMongoClient] = None,
schema_map: Optional[Mapping[str, Any]] = None,
bypass_auto_encryption: bool = False,
mongocryptd_uri: str = "mongodb://localhost:27020",
mongocryptd_bypass_spawn: bool = False,
mongocryptd_spawn_path: str = "mongocryptd",
mongocryptd_spawn_args: Optional[list[str]] = None,
kms_tls_options: Optional[Mapping[str, Any]] = None,
crypt_shared_lib_path: Optional[str] = None,
crypt_shared_lib_required: bool = False,
bypass_query_analysis: bool = False,
encrypted_fields_map: Optional[Mapping[str, Any]] = None,
key_expiration_ms: Optional[int] = None,
)
| 56 | """Options to configure automatic client-side field level encryption.""" |
| 57 | |
| 58 | def __init__( |
| 59 | self, |
| 60 | kms_providers: Mapping[str, Any], |
| 61 | key_vault_namespace: str, |
| 62 | key_vault_client: Optional[_AgnosticMongoClient] = None, |
| 63 | schema_map: Optional[Mapping[str, Any]] = None, |
| 64 | bypass_auto_encryption: bool = False, |
| 65 | mongocryptd_uri: str = "mongodb://localhost:27020", |
| 66 | mongocryptd_bypass_spawn: bool = False, |
| 67 | mongocryptd_spawn_path: str = "mongocryptd", |
| 68 | mongocryptd_spawn_args: Optional[list[str]] = None, |
| 69 | kms_tls_options: Optional[Mapping[str, Any]] = None, |
| 70 | crypt_shared_lib_path: Optional[str] = None, |
| 71 | crypt_shared_lib_required: bool = False, |
| 72 | bypass_query_analysis: bool = False, |
| 73 | encrypted_fields_map: Optional[Mapping[str, Any]] = None, |
| 74 | key_expiration_ms: Optional[int] = None, |
| 75 | ) -> None: |
| 76 | """Options to configure automatic client-side field level encryption. |
| 77 | |
| 78 | Automatic client-side field level encryption requires MongoDB >=4.2 |
| 79 | enterprise or a MongoDB >=4.2 Atlas cluster. Automatic encryption is not |
| 80 | supported for operations on a database or view and will result in |
| 81 | error. |
| 82 | |
| 83 | Although automatic encryption requires MongoDB >=4.2 enterprise or a |
| 84 | MongoDB >=4.2 Atlas cluster, automatic *decryption* is supported for all |
| 85 | users. To configure automatic *decryption* without automatic |
| 86 | *encryption* set ``bypass_auto_encryption=True``. Explicit |
| 87 | encryption and explicit decryption is also supported for all users |
| 88 | with the :class:`~pymongo.asynchronous.encryption.AsyncClientEncryption` and :class:`~pymongo.encryption.ClientEncryption` classes. |
| 89 | |
| 90 | See `client-side field level encryption <https://www.mongodb.com/docs/languages/python/pymongo-driver/current/security/in-use-encryption/#client-side-field-level-encryption>`_ for an example. |
| 91 | |
| 92 | :param kms_providers: Map of KMS provider options. The `kms_providers` |
| 93 | map values differ by provider: |
| 94 | |
| 95 | - `aws`: Map with "accessKeyId" and "secretAccessKey" as strings. |
| 96 | These are the AWS access key ID and AWS secret access key used |
| 97 | to generate KMS messages. An optional "sessionToken" may be |
| 98 | included to support temporary AWS credentials. |
| 99 | - `azure`: Map with "tenantId", "clientId", and "clientSecret" as |
| 100 | strings. Additionally, "identityPlatformEndpoint" may also be |
| 101 | specified as a string (defaults to 'login.microsoftonline.com'). |
| 102 | These are the Azure Active Directory credentials used to |
| 103 | generate Azure Key Vault messages. |
| 104 | - `gcp`: Map with "email" as a string and "privateKey" |
| 105 | as `bytes` or a base64 encoded string. |
| 106 | Additionally, "endpoint" may also be specified as a string |
| 107 | (defaults to 'oauth2.googleapis.com'). These are the |
| 108 | credentials used to generate Google Cloud KMS messages. |
| 109 | - `kmip`: Map with "endpoint" as a host with required port. |
| 110 | For example: ``{"endpoint": "example.com:443"}``. |
| 111 | - `local`: Map with "key" as `bytes` (96 bytes in length) or |
| 112 | a base64 encoded string which decodes |
| 113 | to 96 bytes. "key" is the master key used to encrypt/decrypt |
| 114 | data keys. This key should be generated and stored as securely |
| 115 | as possible. |
nothing calls this directly
no test coverage detected