1. class
  2. MongoDB
  3. \
  4. Driver
  5. \
  6. ClientEncryption

ClientEncryption

Since: 1.7.0

final class ClientEncryption (View source)

The MongoDB\Driver\ClientEncryption class handles creation of data keys for client-side encryption, as well as manually encrypting and decrypting values.

Constants

AEAD_AES_256_CBC_HMAC_SHA_512_DETERMINISTIC

AEAD_AES_256_CBC_HMAC_SHA_512_RANDOM

ALGORITHM_INDEXED Since: 1.14.0

ALGORITHM_UNINDEXED Since: 1.14.0

ALGORITHM_RANGE Since: 1.20.0

deprecated ALGORITHM_RANGE_PREVIEW Since: 1.16.0

QUERY_TYPE_EQUALITY Since: 1.14.0

QUERY_TYPE_RANGE Since: 1.20.0

deprecated QUERY_TYPE_RANGE_PREVIEW Since: 1.16.0

Methods

__construct(array $options)

No description

__wakeup()

No description

object|null
addKeyAltName(Binary $keyId, string $keyAltName)

Adds an alternate name to a key document

Binary
createDataKey(string $kmsProvider, array|null $options = null)

Creates a new key document and inserts into the key vault collection.

mixed
decrypt(Binary $keyVaultClient)

Decrypts an encrypted value (BSON binary of subtype 6).

object
deleteKey(Binary $keyId)

Deletes a key document

Binary
encrypt(mixed $value, array|null $options = null)

Encrypts a value with a given key and algorithm.

object
encryptExpression(array|object $expr, array|null $options = null)

Encrypts a Match Expression or Aggregate Expression to query a range index

object|null
getKey(Binary $keyId)

Gets a key document

object|null
getKeyByAltName(string $keyAltName)

Gets a key document by an alternate name

Cursor
getKeys()

Finds all key documents in the key vault collection.

object|null
removeKeyAltName(Binary $keyId, string $keyAltName)

Removes an alternate name from a key document

object
rewrapManyDataKey(array|object $filter, array|null $options = null)

Rewraps data keys

Details

at line 59
final __construct(array $options)

Since: 1.14.0

No description

Parameters

array $options

at line 61
final __wakeup()

No description

at line 72
final object|null addKeyAltName(Binary $keyId, string $keyAltName)

Since: 1.15.0

Adds an alternate name to a key document

Parameters

Binary $keyId

A MongoDB\BSON\Binary instance with subtype 4 (UUID) identifying the key document.
string $keyAltName

Alternate name to add to the key document.

Return Value

object|null

Returns the previous version of the key document, or null if no document matched.

Exceptions

InvalidArgumentException

at line 83
final Binary createDataKey(string $kmsProvider, array|null $options = null)

Creates a new key document and inserts into the key vault collection.

Parameters

string $kmsProvider

The KMS provider ("local" or "aws") that will be used to encrypt the new encryption key.
array|null $options [optional]

Return Value

Binary

Returns the identifier of the new key as a MongoDB\BSON\Binary object with subtype 4 (UUID).

Exceptions

InvalidArgumentException
EncryptionException

at line 93
final mixed decrypt(Binary $keyVaultClient)

Decrypts an encrypted value (BSON binary of subtype 6).

Parameters

Binary $keyVaultClient

A MongoDB\BSON\Binary instance with subtype 6 containing the encrypted value.

Return Value

mixed

Returns the decrypted value

Exceptions

InvalidArgumentException
EncryptionException

at line 103
final object deleteKey(Binary $keyId)

Since: 1.15.0

Deletes a key document

Parameters

Binary $keyId

A MongoDB\BSON\Binary instance with subtype 4 (UUID) identifying the key document.

Return Value

object

Returns the result of the internal deleteOne operation on the key vault collection.

Exceptions

InvalidArgumentException

at line 114
final Binary encrypt(mixed $value, array|null $options = null)

Encrypts a value with a given key and algorithm.

Parameters

mixed $value

The value to be encrypted. Any value that can be inserted into MongoDB can be encrypted using this method.
array|null $options [optional]

Return Value

Binary

Returns the encrypted value as MongoDB\BSON\Binary object with subtype 6.

Exceptions

InvalidArgumentException
EncryptionException

at line 124
final object encryptExpression(array|object $expr, array|null $options = null)

Since: 1.16.0

Encrypts a Match Expression or Aggregate Expression to query a range index

Parameters

array|object $expr

A BSON document containing the expression
array|null $options

Return Value

object

Returns the encrypted expression as a BSON document

Exceptions

InvalidArgumentException

at line 134
final object|null getKey(Binary $keyId)

Since: 1.15.0

Gets a key document

Parameters

Binary $keyId

A MongoDB\BSON\Binary instance with subtype 4 (UUID) identifying the key document.

Return Value

object|null

Returns the key document, or null if no document matched.

Exceptions

InvalidArgumentException

at line 144
final object|null getKeyByAltName(string $keyAltName)

Since: 1.15.0

Gets a key document by an alternate name

Parameters

string $keyAltName

Alternate name for the key document.

Return Value

object|null

Returns the key document, or null if no document matched.

Exceptions

InvalidArgumentException

at line 153
final Cursor getKeys()

Since: 1.15.0

Finds all key documents in the key vault collection.

Return Value

Cursor

Exceptions

InvalidArgumentException

at line 163
final object|null removeKeyAltName(Binary $keyId, string $keyAltName)

Since: 1.15.0

Removes an alternate name from a key document

Parameters

Binary $keyId

A MongoDB\BSON\Binary instance with subtype 4 (UUID) identifying the key document.
string $keyAltName

Alternate name to remove from the key document.

Return Value

object|null

Returns the previous version of the key document, or null if no document matched.

at line 173
final object rewrapManyDataKey(array|object $filter, array|null $options = null)

Since: 1.16.0

Rewraps data keys

Parameters

array|object $filter
array|null $options

Return Value

object

Returns an object, which will have an optional bulkWriteResult property containing the result of the internal bulkWrite operation as an object. If no data keys matched the filter or the write was unacknowledged, the bulkWriteResult property will be null.