diff --git a/source/client-side-encryption/client-side-encryption.md b/source/client-side-encryption/client-side-encryption.md index f8110ad8e5..326e5718ac 100644 --- a/source/client-side-encryption/client-side-encryption.md +++ b/source/client-side-encryption/client-side-encryption.md @@ -143,19 +143,19 @@ See also: One of the data formats of [BSON binary encrypted](../bson-binary-encrypted/binary-encrypted.md), representing an encoded BSON document containing encrypted ciphertext and metadata. -**FLE** +**Client-Side Field Level Encryption (CSFLE)** -FLE is the first version of Client-Side Field Level Encryption. FLE is almost entirely client-side with the exception of -server-side JSON schema. +CSFLE is the first version of In-Use Encryption. CSFLE is almost entirely client-side with the exception of server-side +JSON schema. -**Queryable Encryption** +**Queryable Encryption (QE)** -Queryable Encryption the second version of Client-Side Field Level Encryption. Data is encrypted client-side. Queryable -Encryption supports indexed encrypted fields, which are further processed server-side. +Queryable Encryption the second version of In-Use Encryption. Data is encrypted client-side. Queryable Encryption +supports indexed encrypted fields, which are further processed server-side. **In-Use Encryption** -Is an umbrella term describing the both FLE and Queryable Encryption. +Is an umbrella term describing the both CSFLE and Queryable Encryption. **encryptedFields** @@ -237,6 +237,7 @@ created_key_id = clientencryption.create_data_key("aws", opts) opts = EncryptOpts(key_id=created_key_id, algorithm="AEAD_AES_256_CBC_HMAC_SHA_512-Random") encrypted = clientencryption.encrypt("secret text", opts) +# Decryption does not require the key ID or algorithm. The ciphertext indicates the key ID and algorithm used. decrypted = clientencryption.decrypt(encrypted) ``` @@ -2223,17 +2224,17 @@ KMIP support in the MongoDB server is a precedent. The server supports `--kmipSe TLS options may be useful for the AWS, Azure, and GCP KMS providers in a case where the default trust store does not include the needed CA certificates. -### Why is it an error to have an FLE 1 and Queryable Encryption field in the same collection? +### Why is it an error to have an CSFLE and Queryable Encryption field in the same collection? -There is no technical limitation to having a separate FLE field and Queryable Encryption field in the same collection. -Prohibiting FLE and Queryable Encryption in the same collection reduces complexity. From the product perspective, a -random FLE field and a non-queryable Queryable Encryption field have the same behavior and similar security guarantees. -A deterministic FLE field leaks more information then a deterministic Queryable Encryption field. There is not a -compelling use case to use both FLE and Queryable Encryption in the same collection. +There is no technical limitation to having a separate CSFLE field and Queryable Encryption field in the same collection. +Prohibiting CSFLE and Queryable Encryption in the same collection reduces complexity. From the product perspective, a +random CSFLE field and a non-queryable Queryable Encryption field have the same behavior and similar security +guarantees. A deterministic CSFLE field leaks more information then a deterministic Queryable Encryption field. There is +not a compelling use case to use both CSFLE and Queryable Encryption in the same collection. ### Is it an error to set schemaMap and encryptedFieldsMap? -No. FLE and Queryable Encryption fields can coexist in different collections. The same collection cannot be in the +No. CSFLE and Queryable Encryption fields can coexist in different collections. The same collection cannot be in the `encryptedFieldsMap` and `schemaMap`. [libmongocrypt](#libmongocrypt) will error if the same collection is specified in a `schemaMap` and `encryptedFieldsMap`.