KeyVault.addKeyAlternateName()
- Behavior
  - Requires Configuring Client-Side Field Level Encryption on Database Connection
- Example

KeyVault.addKeyAlternateName()

New in version 4.2.

beta

Client-Side Field Level Encryption is available as a beta. The contentsof this page may change during the beta period.

KeyVault.addKeyAlternateName(UUID, keyAltName)
Adds the keyAltName to the keyAltNames array of the data keywith UUID.

keyAltName must be unique among all keys in the key vault.getKeyVault creates a unique index onkeyAltNames to enforce uniqueness of keyAltName.

addKeyAlternateName() has the following syntax:

keyVault = db.getMongo().getKeyVault()
 
keyVault.addKeyAlternateName(
  UUID("<UUID string>"),
  "keyAltName"
)

returns:	Returns the previous version of the data key document.Returns `null` if no data key has the specified `UUID()`.

Behavior

Requires Configuring Client-Side Field Level Encryption on Database Connection

The mongo client-side field level encrytion methodsrequire a database connection with client-side field level encryptionenabled. If the current database connection was not initiated withclient-side field level encryption enabled, either:

Use the Mongo() constructor from the mongoshell to establish a connection with the required client-side fieldlevel encryption options. The Mongo() method supports bothAmazon Web Services and Local Key Management Service (KMS) providersfor Customer Master Key (CMK) management.

Use the mongo shell command line options to establish aconnection with the required options. The command line options onlysupport the AWS KMS provider for CMK management.

Example

The following example is intended for rapid evaluation ofclient-side field level encryption. For more complete examplesappropriate for development and production environments, seeManage a data encryption key’s alternate name.

Configuring client-side field level encryption for a locallymanaged key requires specifying a base64-encoded 96-bytestring with no line breaks. The following operation generatesa key that meets the stated requirements and loads it intothe mongo shell:

TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")
 
mongo --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"

Create the client-side field level encryption object using thegenerated local key string:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0, TEST_LOCAL_KEY)
    }
  }
}

Use the Mongo() constructor to create a database connectionwith the client-side field level encryption options. Replace themongodb://myMongo.example.net URI with the connection stringURI of the target cluster.

encryptedClient = Mongo(
  "mongodb://myMongo.example.net:27017/?replSetName=myMongo",
  ClientSideFieldLevelEncryptionOptions
)

Retrieve the KeyVault object and usethe KeyVault.addKeyAlternateName() method to add a newkey alternate name to the data key with matching UUID. The specifiedkey alternate name must be unique:

keyVault = encryptedClient.getKeyVault()
keyVault.addKeyAlternateName(UUID("b4b41b33-5c97-412e-a02b-743498346079"),"Other-Data-Encryption-Key")

If successful, addKeyAlternateName() returns theprevious version of data key document:

{
    "_id" : UUID("b4b41b33-5c97-412e-a02b-743498346079"),
    "keyMaterial" : BinData(0,"PXRsLOAYxhzTS/mFQAI8486da7BwZgqA91UI7NKz/T/AjB0uJZxTvhvmQQsKbCJYsWVS/cp5Rqy/FUX2zZwxJOJmI3rosPhzV0OI5y1cuXhAlLWlj03CnTcOSRzE/YIrsCjMB0/NyiZ7MRWUYzLAEQnE30d947XCiiHIb8a0kt2SD0so8vZvSuP2n0Vtz4NYqnzF0CkhZSWFa2e2yA=="),
    "creationDate" : ISODate("2019-08-12T21:21:30.569Z"),
    "updateDate" : ISODate("2019-08-12T21:21:30.569Z"),
    "status" : 0,
    "version" : NumberLong(0),
    "masterKey" : {
        "provider" : "local"
    },
    "keyAltNames" : [
    ]
}

To view the current version of the data key document, useKeyVault.getKey() specifying the id of the returneddocument _orKeyVault.getKeyByAltName() specifying one of thekeyAltNames.