为 Mongo 客户端字段级加密(CSFLE)生成单个数据密钥
[英]Generate single data key for Mongo Client Side Field Level Encryption(CSFLE)
问题描述
I am using the second example mentioned here for client side field level encryption and it is working as expected.
我正在使用此处提到的第二个示例进行客户端字段级加密,并且它按预期工作。 I create a Mongo client bean once and use it through out until my application is stopped.我创建了一个 Mongo 客户端 bean 并一直使用它,直到我的应用程序停止。
I wanted to find if there are better ways of doing the following things and have few doubts:我想找出是否有更好的方法来做以下事情并且几乎没有疑问:
- The below commands is run each time I re-start the server:每次我重新启动服务器时都会运行以下命令:
BsonBinary dataKeyId = clientEncryption.createDataKey("local", new DataKeyOptions());
This generates a new key each time and inserts in my key vault collection.这每次都会生成一个新密钥并插入到我的密钥库集合中。 I am curious if there is a way to use the old key itself by fetching it for space optimisation.我很好奇是否有办法通过获取旧密钥本身来进行空间优化。 Is there any advantage in terms of security for either of these approaches?这两种方法在安全性方面有什么优势吗?
If I am using AWS KMS, does my mongo client call keyvault collection and KMS for each fetch/update call?
如果我使用的是 AWS KMS,我的 mongo 客户端是否会为每个 fetch/update 调用调用 keyvault 集合和 KMS?If I enable AWS KMS key rotation, does key rotation cause issue while decrypting old data?
如果我启用 AWS KMS 密钥轮换,在解密旧数据时密钥轮换是否会导致问题?
Thanks in advance.提前致谢。
1 个解决方案
解决方案1
0 2021-04-28 15:51:53
I am using the second example mentioned here for client side field level encryption and it is working as expected.我正在使用此处提到的第二个示例进行客户端字段级加密,并且它按预期工作。 I create a Mongo client bean once and use it through out until my application is stopped.我创建了一个 Mongo 客户端 bean 并一直使用它,直到我的应用程序停止。
I wanted to find if there are better ways of doing the following things and have few doubts:我想找出是否有更好的方法来做以下事情并且几乎没有疑问:
- The below commands is run each time I re-start the server:每次我重新启动服务器时都会运行以下命令:
BsonBinary dataKeyId = clientEncryption.createDataKey("local", new DataKeyOptions());
This generates a new key each time and inserts in my key vault collection.这每次都会生成一个新密钥并插入到我的密钥库集合中。 I am curious if there is a way to use the old key itself by fetching it for space optimisation.我很好奇是否有办法通过获取旧密钥本身来进行空间优化。 Is there any advantage in terms of security for either of these approaches?这两种方法在安全性方面有什么优势吗?
If I am using AWS KMS, does my mongo client call keyvault collection and KMS for each fetch/update call?
如果我使用的是 AWS KMS,我的 mongo 客户端是否会为每个 fetch/update 调用调用 keyvault 集合和 KMS?If I enable AWS KMS key rotation, does key rotation cause issue while decrypting old data?
如果我启用 AWS KMS 密钥轮换,在解密旧数据时密钥轮换是否会导致问题?
Thanks in advance.提前致谢。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.