Created
June 29, 2022 20:36
-
-
Save ianf-mongodb/eed6393fa80f8739e7b8e1626c53c5d8 to your computer and use it in GitHub Desktop.
Python Driver Local KMS Tutorial
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pymongo import MongoClient | |
from pymongo.encryption_options import AutoEncryptionOpts | |
from pymongo.encryption import ClientEncryption | |
import base64 | |
import os | |
from bson.codec_options import CodecOptions | |
from bson.binary import STANDARD, UUID | |
import pprint | |
# start-key-vault | |
key_vault_namespace = "encryption.__keyVault" | |
# end-key-vault | |
connection_string = "<your connection string here>" | |
# start-kmsproviders | |
path = "./master-key.txt" | |
with open(path, "rb") as f: | |
local_master_key = f.read() | |
kms_providers = { | |
"local": { | |
"key": local_master_key # local_master_key variable from the previous step | |
}, | |
} | |
# end-kmsproviders | |
# start-schema | |
dek_id = b"<paste-base-64-encoded-data-encryption-key-id>" | |
json_schema = { | |
"bsonType": "object", | |
"encryptMetadata": {"keyId": [Binary(base64.b64decode(dek_id), UUID_SUBTYPE)]}, | |
"properties": { | |
"insurance": { | |
"bsonType": "object", | |
"properties": { | |
"policyNumber": { | |
"encrypt": { | |
"bsonType": "int", | |
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", | |
} | |
} | |
}, | |
}, | |
"medicalRecords": { | |
"encrypt": { | |
"bsonType": "array", | |
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", | |
} | |
}, | |
"bloodType": { | |
"encrypt": { | |
"bsonType": "string", | |
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", | |
} | |
}, | |
"ssn": { | |
"encrypt": { | |
"bsonType": "int", | |
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", | |
} | |
}, | |
}, | |
} | |
patient_schema = {"medicalRecords.patients": json_schema} | |
patient_schema = {"medicalRecords.patients": json_schema} | |
# end-schema | |
# start-extra-options | |
extra_options = {"mongocryptd_spawn_path": "/usr/local/bin/mongocryptd"} | |
# end-extra-options | |
# start-client | |
fle_opts = AutoEncryptionOpts( | |
kms_providers, key_vault_namespace, schema_map=patient_schema, **extra_options | |
) | |
secureClient = MongoClient(connection_string, auto_encryption_opts=fle_opts) | |
# end-client | |
# start-insert | |
def insert_patient( | |
collection, name, ssn, blood_type, medical_records, policy_number, provider | |
): | |
insurance = {"policyNumber": policy_number, "provider": provider} | |
doc = { | |
"name": name, | |
"ssn": ssn, | |
"bloodType": blood_type, | |
"medicalRecords": medical_records, | |
"insurance": insurance, | |
} | |
collection.insert_one(doc) | |
medical_record = [{"weight": 180, "bloodPressure": "120/80"}] | |
insert_patient( | |
secureClient.medicalRecords.patients, | |
"Jon Doe", | |
241014209, | |
"AB+", | |
medical_record, | |
123142, | |
"MaestCare", | |
) | |
# end-insert | |
regularClient = MongoClient(connection_string) | |
# start-find | |
print("Finding a document with regular (non-encrypted) client.") | |
result = regularClient.medicalRecords.patients.find_one({"name": "Jon Doe"}) | |
pprint.pprint(result) | |
print("Finding a document with encrypted client, searching on an encrypted field") | |
pprint.pprint(secureClient.medicalRecords.patients.find_one({"ssn": 241014209})) | |
# end-find |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pymongo import MongoClient | |
from pymongo.encryption_options import AutoEncryptionOpts | |
from pymongo.encryption import ClientEncryption | |
import base64 | |
import os | |
from bson.codec_options import CodecOptions | |
from bson.binary import STANDARD, UUID | |
import os | |
path = "master-key.txt" | |
file_bytes = os.urandom(96) | |
with open(path, "wb") as f: | |
f.write(file_bytes) | |
# start-kmsproviders | |
path = "./master-key.txt" | |
with open(path, "rb") as f: | |
local_master_key = f.read() | |
kms_providers = { | |
"local": { | |
"key": local_master_key # local_master_key variable from the previous step | |
}, | |
} | |
# end-kmsproviders | |
# start-datakeyopts | |
# end-datakeyopts | |
# start-create-dek | |
connection_string = "<your connection string here>" | |
key_vault_namespace = "encryption.__keyVault" | |
client = MongoClient(connection_string) | |
client_encryption = ClientEncryption( | |
kms_providers, # pass in the kms_providers variable from the previous step | |
key_vault_namespace, | |
client, | |
CodecOptions(uuid_representation=STANDARD), | |
) | |
data_key_id = client_encryption.create_data_key("local") | |
base_64_data_key_id = base64.b64encode(data_key_id) | |
print("DataKeyId [base64]: ", base_64_data_key_id) | |
# end-create-dek |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pymongo | |
pymongocrypt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment