Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

mongodb-client-encryption

Package Overview
Dependencies
Maintainers
5
Versions
63
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

mongodb-client-encryption

Official client encryption module for the MongoDB Node.js driver

  • 1.2.7
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
86K
decreased by-12.26%
Maintainers
5
Weekly downloads
 
Created
Source

MongoDB Client Encryption

The Node.js wrapper for libmongocrypt

Requirements

Follow the instructions for building libmongocrypt here.

Installation

Now you can install mongodb-client-encryption with the following:

npm install mongodb-client-encryption

Testing

Run the test suite using:

npm test

Documentation

Classes

AutoEncrypter

An internal class to be used by the driver for auto encryption NOTE: Not meant to be instantiated directly, this is for internal use only.

ClientEncryption

The public interface for explicit client side encryption

MongoCryptError

An error indicating that something went wrong specifically with MongoDB Client Encryption

Typedefs

KMSProviders : object

Configuration options that are used by specific KMS providers during key generation, encryption, and decryption.

AWSEncryptionKeyOptions : object

Configuration options for making an AWS encryption key

GCPEncryptionKeyOptions : object

Configuration options for making a GCP encryption key

AzureEncryptionKeyOptions : object

Configuration options for making an Azure encryption key

AutoEncrypter

An internal class to be used by the driver for auto encryption NOTE: Not meant to be instantiated directly, this is for internal use only.

new AutoEncrypter(client, [options])

ParamTypeDescription
clientMongoClientThe client autoEncryption is enabled on
[options]AutoEncryptionOptionsOptional settings

Create an AutoEncrypter

Note: Do not instantiate this class directly. Rather, supply the relevant options to a MongoClient

Note: Supplying options.schemaMap provides more security than relying on JSON Schemas obtained from the server. It protects against a malicious server advertising a false JSON Schema, which could trick the client into sending unencrypted data that should be encrypted. Schemas supplied in the schemaMap only apply to configuring automatic encryption for client side encryption. Other validation rules in the JSON schema will not be enforced by the driver and will result in an error.

Example

// Enabling autoEncryption via a MongoClient
const { MongoClient } = require('mongodb');
const client = new MongoClient(URL, {
  autoEncryption: {
    kmsProviders: {
      aws: {
        accessKeyId: AWS_ACCESS_KEY,
        secretAccessKey: AWS_SECRET_KEY
      }
    }
  }
});

await client.connect();
// From here on, the client will be encrypting / decrypting automatically

AutoEncrypter~logLevel

The level of severity of the log message

ValueLevel
0Fatal Error
1Error
2Warning
3Info
4Trace

AutoEncrypter~AutoEncryptionOptions

Properties

NameTypeDescription
[keyVaultClient]MongoClientA MongoClient used to fetch keys from a key vault
[keyVaultNamespace]stringThe namespace where keys are stored in the key vault
[kmsProviders]KMSProvidersConfiguration options that are used by specific KMS providers during key generation, encryption, and decryption.
[schemaMap]objectA map of namespaces to a local JSON schema for encryption
[bypassAutoEncryption]booleanAllows the user to bypass auto encryption, maintaining implicit decryption
[options.logger]loggerAn optional hook to catch logging messages from the underlying encryption engine
[extraOptions]AutoEncryptionExtraOptionsExtra options related to the mongocryptd process

Configuration options for a automatic client encryption.

AutoEncrypter~AutoEncryptionExtraOptions

Properties

NameTypeDefaultDescription
[mongocryptdURI]stringA local process the driver communicates with to determine how to encrypt values in a command. Defaults to "mongodb://%2Fvar%2Fmongocryptd.sock" if domain sockets are available or "mongodb://localhost:27020" otherwise
[mongocryptdBypassSpawn]booleanfalseIf true, autoEncryption will not attempt to spawn a mongocryptd before connecting
[mongocryptdSpawnPath]stringThe path to the mongocryptd executable on the system
[mongocryptdSpawnArgs]Array.<string>Command line arguments to use when auto-spawning a mongocryptd

Extra options related to the mongocryptd process

AutoEncrypter~logger

ParamTypeDescription
levellogLevelThe level of logging.
messagestringThe message to log

A callback that is invoked with logging information from the underlying C++ Bindings.

ClientEncryption

The public interface for explicit client side encryption

new ClientEncryption(client, options)

ParamTypeDescription
clientMongoClientThe client used for encryption
optionsobjectAdditional settings
options.keyVaultNamespacestringThe namespace of the key vault, used to store encryption keys
[options.keyVaultClient]MongoClientA MongoClient used to fetch keys from a key vault. Defaults to client
[options.kmsProviders]KMSProvidersoptions for specific KMS providers to use

Create a new encryption instance

Example

new ClientEncryption(mongoClient, {
  keyVaultNamespace: 'client.encryption',
  kmsProviders: {
    local: {
      key: masterKey // The master key used for encryption/decryption. A 96-byte long Buffer
    }
  }
});

Example

new ClientEncryption(mongoClient, {
  keyVaultNamespace: 'client.encryption',
  kmsProviders: {
    aws: {
      accessKeyId: AWS_ACCESS_KEY,
      secretAccessKey: AWS_SECRET_KEY
    }
  }
});

clientEncryption.createDataKey(provider, [options], [callback])

ParamTypeDescription
providerstringThe KMS provider used for this data key. Must be 'aws', 'azure', 'gcp', or 'local'
[options]objectOptions for creating the data key
[options.masterKey]AWSEncryptionKeyOptions | AzureEncryptionKeyOptions | GCPEncryptionKeyOptionsIdenfities a new KMS-specific key used to encrypt the new data key
[options.keyAltNames]Array.<string>An optional list of string alternate names used to reference a key. If a key is created with alternate names, then encryption may refer to the key by the unique alternate name instead of by _id.
[callback]createDataKeyCallbackOptional callback to invoke when key is created

Creates a data key used for explicit encryption and inserts it into the key vault namespace

Returns: Promise | void - If no callback is provided, returns a Promise that either resolves with the id of the created data key, or rejects with an error. If a callback is provided, returns nothing.
Example

// Using callbacks to create a local key
clientEncryption.createDataKey('local', (err, dataKey) => {
  if (err) {
    // This means creating the key failed.
  } else {
    // key creation succeeded
  }
});

Example

// Using async/await to create a local key
const dataKeyId = await clientEncryption.createDataKey('local');

Example

// Using async/await to create an aws key
const dataKeyId = await clientEncryption.createDataKey('aws', {
  masterKey: {
    region: 'us-east-1',
    key: 'xxxxxxxxxxxxxx' // CMK ARN here
  }
});

Example

// Using async/await to create an aws key with a keyAltName
const dataKeyId = await clientEncryption.createDataKey('aws', {
  masterKey: {
    region: 'us-east-1',
    key: 'xxxxxxxxxxxxxx' // CMK ARN here
  },
  keyAltNames: [ 'mySpecialKey' ]
});

clientEncryption.encrypt(value, options, [callback])

ParamTypeDescription
value*The value that you wish to serialize. Must be of a type that can be serialized into BSON
optionsobject
[options.keyId]dataKeyIdThe id of the Binary dataKey to use for encryption
[options.keyAltName]stringA unique string name corresponding to an already existing dataKey.
options.algorithmThe algorithm to use for encryption. Must be either 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic' or AEAD_AES_256_CBC_HMAC_SHA_512-Random'
[callback]encryptCallbackOptional callback to invoke when value is encrypted

Explicitly encrypt a provided value. Note that either options.keyId or options.keyAltName must be specified. Specifying both options.keyId and options.keyAltName is considered an error.

Returns: Promise | void - If no callback is provided, returns a Promise that either resolves with the encrypted value, or rejects with an error. If a callback is provided, returns nothing.
Example

// Encryption with callback API
function encryptMyData(value, callback) {
  clientEncryption.createDataKey('local', (err, keyId) => {
    if (err) {
      return callback(err);
    }
    clientEncryption.encrypt(value, { keyId, algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic' }, callback);
  });
}

Example

// Encryption with async/await api
async function encryptMyData(value) {
  const keyId = await clientEncryption.createDataKey('local');
  return clientEncryption.encrypt(value, { keyId, algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic' });
}

Example

// Encryption using a keyAltName
async function encryptMyData(value) {
  await clientEncryption.createDataKey('local', { keyAltNames: 'mySpecialKey' });
  return clientEncryption.encrypt(value, { keyAltName: 'mySpecialKey', algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic' });
}

clientEncryption.decrypt(value, callback)

ParamTypeDescription
valueBufferAn encrypted value
callbackdecryptCallbackOptional callback to invoke when value is decrypted

Explicitly decrypt a provided encrypted value

Returns: Promise | void - If no callback is provided, returns a Promise that either resolves with the decryped value, or rejects with an error. If a callback is provided, returns nothing.
Example

// Decrypting value with callback API
function decryptMyValue(value, callback) {
  clientEncryption.decrypt(value, callback);
}

Example

// Decrypting value with async/await API
async function decryptMyValue(value) {
  return clientEncryption.decrypt(value);
}

ClientEncryption~dataKeyId

The id of an existing dataKey. Is a bson Binary value. Can be used for ClientEncryption.encrypt, and can be used to directly query for the data key itself against the key vault namespace.

ClientEncryption~createDataKeyCallback

ParamTypeDescription
[error]ErrorIf present, indicates an error that occurred in the creation of the data key
[dataKeyId]dataKeyIdIf present, returns the id of the created data key

ClientEncryption~encryptCallback

ParamTypeDescription
[err]ErrorIf present, indicates an error that occurred in the process of encryption
[result]BufferIf present, is the encrypted result

ClientEncryption~decryptCallback

ParamTypeDescription
[err]ErrorIf present, indicates an error that occurred in the process of decryption
[result]objectIf present, is the decrypted result

MongoCryptError

An error indicating that something went wrong specifically with MongoDB Client Encryption

KMSProviders

Properties

NameTypeDescription
[aws]objectConfiguration options for using 'aws' as your KMS provider
[aws.accessKeyId]stringThe access key used for the AWS KMS provider
[aws.secretAccessKey]stringThe secret access key used for the AWS KMS provider
[local]objectConfiguration options for using 'local' as your KMS provider
[local.key]BufferThe master key used to encrypt/decrypt data keys. A 96-byte long Buffer.
[azure]objectConfiguration options for using 'azure' as your KMS provider
[azure.tenantId]stringThe tenant ID identifies the organization for the account
[azure.clientId]stringThe client ID to authenticate a registered application
[azure.clientSecret]stringThe client secret to authenticate a registered application
[azure.identityPlatformEndpoint]stringIf present, a host with optional port. E.g. "example.com" or "example.com:443". This is optional, and only needed if customer is using a non-commercial Azure instance (e.g. a government or China account, which use different URLs). Defaults to "login.microsoftonline.com"
[gcp]objectConfiguration options for using 'gcp' as your KMS provider
[gcp.email]stringThe service account email to authenticate
[gcp.privateKey]string | BinaryA PKCS#8 encrypted key. This can either be a base64 string or a binary representation
[gcp.endpoint]stringIf present, a host with optional port. E.g. "example.com" or "example.com:443". Defaults to "oauth2.googleapis.com"

Configuration options that are used by specific KMS providers during key generation, encryption, and decryption.

AWSEncryptionKeyOptions

Properties

NameTypeDescription
regionstringThe AWS region of the KMS
keystringThe Amazon Resource Name (ARN) to the AWS customer master key (CMK)
[endpoint]stringAn alternate host to send KMS requests to. May include port number

Configuration options for making an AWS encryption key

GCPEncryptionKeyOptions

Properties

NameTypeDescription
projectIdstringGCP project id
locationstringLocation name (e.g. "global")
keyRingstringKey ring name
keyNamestringKey name
[keyVersion]stringKey version
[endpoint]stringKMS URL, defaults to https://www.googleapis.com/auth/cloudkms

Configuration options for making a GCP encryption key

AzureEncryptionKeyOptions

Properties

NameTypeDescription
keyNamestringKey name
keyVaultEndpointstringKey vault URL, typically <name>.vault.azure.net
[keyVersion]stringKey version

Configuration options for making an Azure encryption key

FAQs

Package last updated on 14 Sep 2021

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc