简体繁体 English

Mongo CSFLE 数据加密密钥一次或批量获取

[英]Mongo CSFLE Data encryption keys fetched once or in batches

原文 2021-05-07 16:53:18 2 2 mongodb/ encryption/ mongodb-query/ mongodb-csfle

In MongoDB client side fields level encryption, When we encrypt records and have multiple data encryption keys(please don't confuse this with master key) in key vault, if we fetch multiple records in a single query, say X records which have 1 field encrypted using Y distinct data encryption keys, I would like to understand how the driver handles fetching of these data encryption keys.在 MongoDB 客户端字段级别加密中，当我们加密记录并在密钥库中有多个数据加密密钥（请不要将其与主密钥混淆）时，如果我们在单个查询中获取多条记录，例如 X 记录有 1 个字段使用 Y 个不同的数据加密密钥加密，我想了解驱动程序如何处理这些数据加密密钥的获取。 I could think of few ways listed below on how it could have been handled, but want to understand exact behaviour to finalise our approach.我可以想到下面列出的几种方法来处理它，但想了解确切的行为以最终确定我们的方法。

It fetches X records and while decrypting each record, it makes a call to fetch the data encryption key used to encrypt that particular record.它获取 X 条记录并在解密每条记录时调用以获取用于加密该特定记录的数据加密密钥。 So, together, make X db calls to fetch keys.因此，一起进行 X db 调用以获取密钥。
Same as above but when it fetches a data encryption key, it stores it in memory to reuse if any other undrecrypted record used the same data encryption key.与上面相同，但是当它获取数据加密密钥时，它将其存储在 memory 中，以便在任何其他未解密记录使用相同的数据加密密钥时重复使用。 In this approach, it makes Y db calls to fetch keys.在这种方法中，它会调用 Y db 来获取密钥。
It fetches X records and lists down all distinct key identifiers used.它获取 X 条记录并列出所有使用的不同键标识符。 Makes a single DB call to fetch all these distinct data encryption keys.进行单个数据库调用以获取所有这些不同的数据加密密钥。 In this approach, it makes a single db call to fetch all keys.在这种方法中，它会进行一次 db 调用来获取所有键。
Some other way.别的办法。

If anyone has idea on how its implemented, please share.如果有人知道它是如何实现的，请分享。

TIA TIA

2 个解决方案

The key management happens in the libmongocrypt library.密钥管理发生在libmongocrypt库中。

It appears to request each key individually, as it is needed, and cache it locally for later use.它似乎根据需要单独请求每个密钥，并将其缓存在本地以供以后使用。

This seems to align with you #2 scenario.这似乎与您的#2 场景一致。

I have tried it out myself by generating 3 data encryption keys(DEKs) and multiple records(R) encrypted using these and stored in DB.我自己通过生成 3 个数据加密密钥 (DEK) 和使用这些加密并存储在 DB 中的多个记录 (R) 进行了尝试。 When I fetched all the records, it made a query to fetch all 3 DEKs using an $in query on the 3 DEK IDs.当我获取所有记录时，它使用对 3 个 DEK ID 的 $in 查询进行查询以获取所有 3 个 DEK。 So, looks like its following scenario 3. This observation is for small set of data.所以，看起来像下面的场景 3。这个观察是针对小数据集的。 May be if there are too many DEKs, it might try to make different batch calls for DEKs, not sure.可能是如果 DEK 太多，它可能会尝试对 DEK 进行不同的批处理调用，不确定。 But at least I was able to confirm that it will fetch DEKs in batches which helps in better performance.但至少我能够确认它将批量获取 DEK，这有助于提高性能。

Hope this information helps others.希望这些信息对其他人有所帮助。