sarjarapu/csfle-manual-encryption.js

## csfle-manual-encryption.js
// Deterministic algorithm: Always outputs the same encrypted value for a given combo of plain text and an encryption key. When you need to search on encrypted text match you must be using the Deterministic algorithms.
const SSN_ENCRYPTION_ALGORITHM = "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic";
// Random algorithm: Always outputs different encrypted value for a given combo of plain text and an encryption key. Although the encrypted value is different, decrypting always yields the same plain text. Because the encrypted text is random, you should not be using them on searchable fields
const MOBILE_ENCRYPTION_ALGORITHM = "AEAD_AES_256_CBC_HMAC_SHA_512-Random";

// Create a patient document on csfleDB object. Manually encrypt the texts and insert into DB
// Notice that encrypt method is called once per each field, but insert operation is done as a whole
csfleDB.getCollection("patients").insert({
  "_id": 1,
  "medRecNum": 1,
  "firstName": "John",
  "lastName": "Doe",
  "ssn": csfleClient.encrypt(SSN_ENCRYPTION_KEY_UUID, "111-11-1111", SSN_ENCRYPTION_ALGORITHM),
  "mobile": csfleClient.encrypt(MOBILE_ENCRYPTION_KEY_UUID, "111-111-1111", MOBILE_ENCRYPTION_ALGORITHM),
  "comment": "John Doe's SSN/Phone are manually encrypted."
});

// Find operation on the plainDB object - shows encrypted text (as stored in DB)
plainDB.getCollection("patients").findOne();
/*
{
  "_id" : 1,
  "medRecNum" : 1,
  "firstName" : "John",
  "lastName" : "Doe",
  "ssn" : BinData(6,"AWE7iEZXVUV9my4XXm0O38sCAUEAEz28vlFT8UsIeLFYk7xvR9OKpbsmsEk72yDbVJDdHR7p6ctD2XbvUhORLVYbzS/D2GXtWcMwFacpmrS9HsP8IIGoDMIL2QYarQrKj9U="),
  "mobile" : BinData(6,"AjtqXpdbrUKmnslCbIXOtZUCiQW9l+nhjldSPD1dtPE/qOAraomXcoSA8asUIUDXyLGHBzQYG5TAwJ8tNUCIErK7D4hl5fT9la96dyKQ/ueCYol6GUkaFtLKVSMKfu3DOhA="),
  "comment" : "John Doe's SSN/Phone are manually encrypted."
}
*/

// Find operation on the csfle DB object - shows plain text after decrypting it on client-side
csfleDB.getCollection("patients").findOne();
/*
{
  "_id" : 1,
  "medRecNum" : 1,
  "firstName" : "John",
  "lastName" : "Doe",
  "ssn" : "111-11-1111",
  "mobile" : "111-111-1111",
  "comment" : "John Doe's SSN/Phone are manually encrypted."
}
*/

// Find patient by SSN didn't return any data This is because the input filter is
// in plain text, where as the field in the database is stored with encrypted text
csfleDB.getCollection("patients").findOne({"ssn": "111-11-1111"})
// null

// Find patient by sending the encrypted text of SSN returns the data.
const encryptedSSN = csfleClient.encrypt(SSN_ENCRYPTION_KEY_UUID, "111-11-1111", SSN_ENCRYPTION_ALGORITHM);
csfleDB.getCollection("patients").findOne({"ssn": encryptedSSN})
/*
{
  "_id" : 1,
  "medRecNum" : 1,
  "firstName" : "John",
  "lastName" : "Doe",
  "ssn" : "111-11-1111",
  "mobile" : "111-111-1111",
  "comment" : "John Doe's SSN/Phone are manually encrypted."
}
*/
	// Deterministic algorithm: Always outputs the same encrypted value for a given combo of plain text and an encryption key. When you need to search on encrypted text match you must be using the Deterministic algorithms.
	const SSN_ENCRYPTION_ALGORITHM = "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic";
	// Random algorithm: Always outputs different encrypted value for a given combo of plain text and an encryption key. Although the encrypted value is different, decrypting always yields the same plain text. Because the encrypted text is random, you should not be using them on searchable fields
	const MOBILE_ENCRYPTION_ALGORITHM = "AEAD_AES_256_CBC_HMAC_SHA_512-Random";

	// Create a patient document on csfleDB object. Manually encrypt the texts and insert into DB
	// Notice that encrypt method is called once per each field, but insert operation is done as a whole
	csfleDB.getCollection("patients").insert({
	"_id": 1,
	"medRecNum": 1,
	"firstName": "John",
	"lastName": "Doe",
	"ssn": csfleClient.encrypt(SSN_ENCRYPTION_KEY_UUID, "111-11-1111", SSN_ENCRYPTION_ALGORITHM),
	"mobile": csfleClient.encrypt(MOBILE_ENCRYPTION_KEY_UUID, "111-111-1111", MOBILE_ENCRYPTION_ALGORITHM),
	"comment": "John Doe's SSN/Phone are manually encrypted."
	});

	// Find operation on the plainDB object - shows encrypted text (as stored in DB)
	plainDB.getCollection("patients").findOne();
	/*
	{
	"_id" : 1,
	"medRecNum" : 1,
	"firstName" : "John",
	"lastName" : "Doe",
	"ssn" : BinData(6,"AWE7iEZXVUV9my4XXm0O38sCAUEAEz28vlFT8UsIeLFYk7xvR9OKpbsmsEk72yDbVJDdHR7p6ctD2XbvUhORLVYbzS/D2GXtWcMwFacpmrS9HsP8IIGoDMIL2QYarQrKj9U="),
	"mobile" : BinData(6,"AjtqXpdbrUKmnslCbIXOtZUCiQW9l+nhjldSPD1dtPE/qOAraomXcoSA8asUIUDXyLGHBzQYG5TAwJ8tNUCIErK7D4hl5fT9la96dyKQ/ueCYol6GUkaFtLKVSMKfu3DOhA="),
	"comment" : "John Doe's SSN/Phone are manually encrypted."
	}
	*/

	// Find operation on the csfle DB object - shows plain text after decrypting it on client-side
	csfleDB.getCollection("patients").findOne();
	/*
	{
	"_id" : 1,
	"medRecNum" : 1,
	"firstName" : "John",
	"lastName" : "Doe",
	"ssn" : "111-11-1111",
	"mobile" : "111-111-1111",
	"comment" : "John Doe's SSN/Phone are manually encrypted."
	}
	*/

	// Find patient by SSN didn't return any data This is because the input filter is
	// in plain text, where as the field in the database is stored with encrypted text
	csfleDB.getCollection("patients").findOne({"ssn": "111-11-1111"})
	// null

	// Find patient by sending the encrypted text of SSN returns the data.
	const encryptedSSN = csfleClient.encrypt(SSN_ENCRYPTION_KEY_UUID, "111-11-1111", SSN_ENCRYPTION_ALGORITHM);
	csfleDB.getCollection("patients").findOne({"ssn": encryptedSSN})
	/*
	{
	"_id" : 1,
	"medRecNum" : 1,
	"firstName" : "John",
	"lastName" : "Doe",
	"ssn" : "111-11-1111",
	"mobile" : "111-111-1111",
	"comment" : "John Doe's SSN/Phone are manually encrypted."
	}
	*/