Docs Menu
Docs Home
/
Database Manual
/
Reference
/
mongosh Methods

In-Use Encryption Methods

Note

For details on a specific method, including syntax and examples, click on the link to the method's reference page.

The mongosh ClientEncryption methods require a database connection with in-use encryption enabled. If the current database connection was not initiated with in-use encryption enabled, either:

  • Use the Mongo() constructor from the mongosh to establish a connection with the required in-use encryption options. The Mongo() method supports the following Key Management Service (KMS) providers for Customer Master Key (CMK) management:

    or

  • Use the mongosh command line options to establish a connection with the required options. The command line options only support the Amazon Web Services KMS provider for CMK management.

The following methods are for mongosh only. For instructions on implementing Client-Side Field Level Encryption (CSFLE) or Queryable Encryption (QE) using a MongoDB driver, defer to the driver documentation. See Client-Side Field Level Encryption Driver Compatibility or Queryable Encryption Driver Compatibility for supported drivers.

Commands with aliases are grouped together.

Name
CSFLE
QE
Description

getKeyVault()

Returns the key vault object for the current MongoDB connection.

KeyVault.createKey()
KeyVault.createDataKey()

Creates a data encryption key for use with Client-Side Field Level Encryption.

KeyVault.deleteKey()

Deletes the specified data encryption key from the key vault.

KeyVault.getKey()

Retrieves the specified data encryption key from the key vault.

KeyVault.getKeys()

Retrieves all keys in the key vault.

KeyVault.addKeyAlternateName()
KeyVault.addKeyAltName()

Associates a key alternative name to the specified data encryption key.

KeyVault.removeKeyAlternateName()
KeyVault.removeKeyAltName()

Removes a key alternative name from the specified data encryption key.

KeyVault.getKeyByAltName()

Retrieves keys with the specified key alternative name.

KeyVault.rewrapManyDataKey()

Decrypts multiple data keys and re-encrypts them with a new master key.

getClientEncryption()

Returns the client encryption object for supporting explicit encryption/decryption of fields.

ClientEncryption.createEncryptedCollection()

Creates a collection with encrypted fields.

ClientEncryption.encrypt()

Encrypts a field using a specified data encryption key and encryption algorithm.

ClientEncryption.encryptExpression()

Encrypts a query expression using a specified data encryption key and encryption options.

ClientEncryption.decrypt()

Decrypts a field using the associated data encryption key and encryption algorithm.

Back

SessionOptions

Next

ClientEncryption.createEncryptedCollection