sarjarapu
sarjarapu
/ csfle-privacy-ondata.js
Created
January 23, 2020 15:23
A JavaScript to show MongoDB client-side field-level encryption can help you implement solutions for California Consumer Privacy Act. The deletion of the data encryption key will render all the consumers' data permanently unreadable be it in current database or in historical snapshots.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // rules for automation encryption | |
| var schemaMap = { | |
| "health_care_app.patients": { | |
| "bsonType": "object", | |
| "properties": { | |
| "medRecNum": { | |
| "bsonType": "int" | |
| }, | |
| "firstName": { | |
| "bsonType": "string" |
sarjarapu
/ csfle-enforce-schema.js
Created
January 23, 2020 15:18
A JavaScript to show how JSONSchema can be used to enforce clients to insert encrypted data than plain text data.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // So let's drop all the information in patients collection | |
| plainDB.getCollection("patients").remove({"_id": 3}); | |
| // define server-side JSON and retry the insert | |
| var patientsJSONSchema = { | |
| "bsonType": "object", | |
| "properties": { | |
| "ssn": { | |
| "encrypt": { | |
| "bsonType": "string", | |
| "algorithm": SSN_ENCRYPTION_ALGORITHM, |
sarjarapu
/ csfle-accidental-plaintext.js
Created
January 23, 2020 15:16
A JavaScript to show the possibility of clients not using client-side field level encryption may still be able to accidentally insert plain text data.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Insert another document from plainDB object with plain text. | |
| // Remember the previous inserts were on csfleDB object (with Field-Level encryption options) | |
| plainDB.getCollection("patients").insert({ | |
| "_id": 3, | |
| "medRecNum": 3, | |
| "firstName": "Jason", | |
| "lastName": "Doe", | |
| "ssn": "333-33-3333", | |
| "mobile": "333-333-3333", | |
| "comment": "Jason Doe SSN/Phone should have been encrypted, but the app/dev forgot to do so." |
sarjarapu
/ csfle-automatic-encryption.js
Created
January 23, 2020 15:13
A JavaScript to illustrate insert/find operations while using MongoDB client-side field level encryption with automatic encryption feature.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // NOTE: In the explicit encryption method all insert/update/find operations should ship encrypted data. | |
| // Let's explore an MongoDB Enterprise that helps automatically encryption / decryption data for you. But first, | |
| // define a JSON schema mapping for our patients collection via the Field-Level option. | |
| const healthCareAppSchema = { | |
| "health_care_app.patients": { | |
| "bsonType": "object", | |
| "properties": { | |
| "medRecNum": { | |
| "bsonType": "int" | |
| }, |
sarjarapu
/ csfle-manual-encryption.js
Created
January 23, 2020 15:10
A JavaScript to illustrate insert/find operations while using MongoDB client-side field level encryption feature.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Deterministic algorithm: Always outputs the same encrypted value for a given combo of plain text and an encryption key. When you need to search on encrypted text match you must be using the Deterministic algorithms. | |
| const SSN_ENCRYPTION_ALGORITHM = "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"; | |
| // Random algorithm: Always outputs different encrypted value for a given combo of plain text and an encryption key. Although the encrypted value is different, decrypting always yields the same plain text. Because the encrypted text is random, you should not be using them on searchable fields | |
| const MOBILE_ENCRYPTION_ALGORITHM = "AEAD_AES_256_CBC_HMAC_SHA_512-Random"; | |
| // Create a patient document on csfleDB object. Manually encrypt the texts and insert into DB | |
| // Notice that encrypt method is called once per each field, but insert operation is done as a whole | |
| csfleDB.getCollection("patients").insert({ | |
| "_id": 1, | |
| "medRecNum": 1, |
sarjarapu
/ csfle-create-clientobj.js
Last active
January 23, 2020 14:57
A JavaScript to make use of the client-side field-level encryptions, create the MongoDB client objects, and create data encryption keys for SSN and Mobile fields
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Create a mongo clients for plain text operations and another with client-side Field-Level encryption options | |
| var csfleOptions = { | |
| "keyVaultNamespace" : "encryption.__dataKeys", | |
| "kmsProviders" : { | |
| "local" : { | |
| "key" : BinData(0, LOCAL_KEY) | |
| } | |
| }, | |
| "schemaMap" : {} | |
| }; |
sarjarapu
/ csfle-create-local-keyfile.sh
Created
January 23, 2020 14:53
A bash script to create LOCAL_KEY and start the MongoDB shell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generate 96 char local key. save it don't loose it | |
| LOCAL_KEY=$(openssl rand -hex 50 | head -c 96 | base64 | tr -d '\n') | |
| echo $LOCAL_KEY | |
| # YzRiY2Y3ZGUzNDgxYzQwNzliMGEzMDI2YjU0ODkwMjQ5ZTNmMWFkZDdiZGUzMDc5ZTVlMWYxNjBlMDM5MGJmMjhmOWIyODdlMjU3MjA1M2ZmZjdiZDViYWE1Y2Q1OTRi | |
| # Start the v4.2 client. Note that you are not connecting to server yet | |
| ${MONGO_BIN}/mongo --shell --nodb --eval "var LOCAL_KEY = '$LOCAL_KEY' " |
sarjarapu
/ csfle-create-mongod.sh
Created
January 23, 2020 14:51
A bash script to download and install MongoDB v4.2.2 enterprise on my Mac
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # TODO: Update the BASE_DIR to your favorite directory | |
| BASE_DIR=/Users/shyam/code/personal/mdb/fle/build | |
| VERSION="4.2.2" | |
| # TODO: Change the binaries to your OS flavor | |
| # Download and extract the v4.2 enterprise binaries | |
| cd ${BASE_DIR} | |
| curl -OL "https://downloads.mongodb.com/osx/mongodb-macos-x86_64-enterprise-${VERSION}.tgz" | |
| tar -xzf mongodb-macos-x86_64-enterprise-${VERSION}.tgz | |
| rm -f mongodb-macos-x86_64-enterprise-${VERSION}.tgz |
sarjarapu
/ kerberos-mongod-auth.sh
Created
October 5, 2018 04:59
A bash script illustrating authentication to MongoDB via Kerberos SSO and authorization on MongoDB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Login into the Kerberos as bob | |
| kinit -p bob | |
| # Password for bob@MDBKRB5.NET: | |
| klist | |
| # Ticket cache: KEYRING:persistent:1000:1000 | |
| # Default principal: bob@MDBKRB5.NET | |
| # Valid starting Expires Service principal | |
| # 10/04/2018 16:58:49 10/05/2018 16:58:48 krbtgt/MDBKRB5.NET@MDBKRB5.NET |
sarjarapu
/ kerberos-install-mongo-shell.sh
Created
October 5, 2018 04:53
A bash script to install the MongoDB shell and the MongoDB Enterprise dependencies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo tee /etc/yum.repos.d/mongodb-enterprise.repo << EOF | |
| [mongodb-enterprise] | |
| name=MongoDB Enterprise Repository | |
| baseurl=https://repo.mongodb.com/yum/redhat/\$releasever/mongodb-enterprise/4.0/\$basearch/ | |
| gpgcheck=1 | |
| enabled=1 | |
| gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc | |
| EOF | |
| # Install the mongodb enterprise dependencies and mongodb shell |
NewerOlder