From be180e56b2a497c47e16a2744d0ff94d1b154581 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Tue, 29 Oct 2024 12:42:30 -0400 Subject: [PATCH 1/3] indicate that decryption does not require the key ID or algorithm --- source/client-side-encryption/client-side-encryption.md | 1 + 1 file changed, 1 insertion(+) diff --git a/source/client-side-encryption/client-side-encryption.md b/source/client-side-encryption/client-side-encryption.md index f8110ad8e5..298f1a4c14 100644 --- a/source/client-side-encryption/client-side-encryption.md +++ b/source/client-side-encryption/client-side-encryption.md @@ -237,6 +237,7 @@ created_key_id = clientencryption.create_data_key("aws", opts) opts = EncryptOpts(key_id=created_key_id, algorithm="AEAD_AES_256_CBC_HMAC_SHA_512-Random") encrypted = clientencryption.encrypt("secret text", opts) +# Decryption does not require the key ID or algorithm. The ciphertext indicates the key ID and algorithm used. decrypted = clientencryption.decrypt(encrypted) ``` From bf05ae8e34d31dcd4b11c4edd2ca0036b18ffd50 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Tue, 29 Oct 2024 12:54:18 -0400 Subject: [PATCH 2/3] more consistently use terms "In-Use Encryption", "CSFLE", and "QE" --- .../client-side-encryption.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/source/client-side-encryption/client-side-encryption.md b/source/client-side-encryption/client-side-encryption.md index 298f1a4c14..0bc5896b67 100644 --- a/source/client-side-encryption/client-side-encryption.md +++ b/source/client-side-encryption/client-side-encryption.md @@ -143,19 +143,19 @@ See also: One of the data formats of [BSON binary encrypted](../bson-binary-encrypted/binary-encrypted.md), representing an encoded BSON document containing encrypted ciphertext and metadata. -**FLE** +**Client-Side Field Level Encryption (CSFLE)** -FLE is the first version of Client-Side Field Level Encryption. FLE is almost entirely client-side with the exception of -server-side JSON schema. +CSFLE is the first version of In-Use Encryption. CSFLE is almost entirely client-side with the +exception of server-side JSON schema. -**Queryable Encryption** +**Queryable Encryption (QE)** -Queryable Encryption the second version of Client-Side Field Level Encryption. Data is encrypted client-side. Queryable +Queryable Encryption the second version of In-Use Encryption. Data is encrypted client-side. Queryable Encryption supports indexed encrypted fields, which are further processed server-side. **In-Use Encryption** -Is an umbrella term describing the both FLE and Queryable Encryption. +Is an umbrella term describing the both CSFLE and Queryable Encryption. **encryptedFields** @@ -2224,17 +2224,17 @@ KMIP support in the MongoDB server is a precedent. The server supports `--kmipSe TLS options may be useful for the AWS, Azure, and GCP KMS providers in a case where the default trust store does not include the needed CA certificates. -### Why is it an error to have an FLE 1 and Queryable Encryption field in the same collection? +### Why is it an error to have an CSFLE and Queryable Encryption field in the same collection? -There is no technical limitation to having a separate FLE field and Queryable Encryption field in the same collection. -Prohibiting FLE and Queryable Encryption in the same collection reduces complexity. From the product perspective, a -random FLE field and a non-queryable Queryable Encryption field have the same behavior and similar security guarantees. -A deterministic FLE field leaks more information then a deterministic Queryable Encryption field. There is not a -compelling use case to use both FLE and Queryable Encryption in the same collection. +There is no technical limitation to having a separate CSFLE field and Queryable Encryption field in the same collection. +Prohibiting CSFLE and Queryable Encryption in the same collection reduces complexity. From the product perspective, a +random CSFLE field and a non-queryable Queryable Encryption field have the same behavior and similar security guarantees. +A deterministic CSFLE field leaks more information then a deterministic Queryable Encryption field. There is not a +compelling use case to use both CSFLE and Queryable Encryption in the same collection. ### Is it an error to set schemaMap and encryptedFieldsMap? -No. FLE and Queryable Encryption fields can coexist in different collections. The same collection cannot be in the +No. CSFLE and Queryable Encryption fields can coexist in different collections. The same collection cannot be in the `encryptedFieldsMap` and `schemaMap`. [libmongocrypt](#libmongocrypt) will error if the same collection is specified in a `schemaMap` and `encryptedFieldsMap`. From ca570840a9eea2ea4a7fa59d9aa8e2b3dd16842c Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Tue, 29 Oct 2024 12:59:17 -0400 Subject: [PATCH 3/3] format --- .../client-side-encryption.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/source/client-side-encryption/client-side-encryption.md b/source/client-side-encryption/client-side-encryption.md index 0bc5896b67..326e5718ac 100644 --- a/source/client-side-encryption/client-side-encryption.md +++ b/source/client-side-encryption/client-side-encryption.md @@ -145,13 +145,13 @@ encoded BSON document containing encrypted ciphertext and metadata. **Client-Side Field Level Encryption (CSFLE)** -CSFLE is the first version of In-Use Encryption. CSFLE is almost entirely client-side with the -exception of server-side JSON schema. +CSFLE is the first version of In-Use Encryption. CSFLE is almost entirely client-side with the exception of server-side +JSON schema. **Queryable Encryption (QE)** -Queryable Encryption the second version of In-Use Encryption. Data is encrypted client-side. Queryable -Encryption supports indexed encrypted fields, which are further processed server-side. +Queryable Encryption the second version of In-Use Encryption. Data is encrypted client-side. Queryable Encryption +supports indexed encrypted fields, which are further processed server-side. **In-Use Encryption** @@ -2228,9 +2228,9 @@ include the needed CA certificates. There is no technical limitation to having a separate CSFLE field and Queryable Encryption field in the same collection. Prohibiting CSFLE and Queryable Encryption in the same collection reduces complexity. From the product perspective, a -random CSFLE field and a non-queryable Queryable Encryption field have the same behavior and similar security guarantees. -A deterministic CSFLE field leaks more information then a deterministic Queryable Encryption field. There is not a -compelling use case to use both CSFLE and Queryable Encryption in the same collection. +random CSFLE field and a non-queryable Queryable Encryption field have the same behavior and similar security +guarantees. A deterministic CSFLE field leaks more information then a deterministic Queryable Encryption field. There is +not a compelling use case to use both CSFLE and Queryable Encryption in the same collection. ### Is it an error to set schemaMap and encryptedFieldsMap?