MongoDB\Driver\ClientEncryption::createDataKey

(mongodb >=1.7.0)

MongoDB\Driver\ClientEncryption::createDataKeyCreate a new encryption data key

Description

final public MongoDB\Driver\ClientEncryption::createDataKey(string $kmsProvider, array $options = ?): MongoDB\BSON\Binary

Creates a new key document and inserts it into the key vault collection.

Liste de paramètres

kmsProvider

The KMS provider (e.g. "local", "aws", "azure", "gcp") that will be used to encrypt the new encryption key.

options

Data key options
Option Type Description
masterKey array

The masterKey identifies a KMS-specific key used to encrypt the new data key. This option is required unless kmsProvider is "local".

If kmsProvider is "aws", this option is required and has the following fields:

AWS masterKey options
Option Type Description
region string Required.
key string Required. The Amazon Resource Name (ARN) to the AWS customer master key (CMK).
endpoint string Optional. An alternate host identifier to send KMS requests to. May include port number.

If kmsProvider is "azure", this option is required and has the following fields:

Azure masterKey options
Option Type Description
keyVaultEndpoint string Required. Host with optional port (e.g. "example.vault.azure.net").
keyName string Required.
keyVersion string Optional. A specific version of the named key. Defaults to using the key's primary version.

If kmsProvider is "gcp", this option is required and has the following fields:

GCP masterKey options
Option Type Description
projectId string Required.
location string Required.
keyRing string Required.
keyName string Required.
keyVersion string Optional. A specific version of the named key. Defaults to using the key's primary version.
endpoint string Optional. Host with optional port. Defaults to "cloudkms.googleapis.com".

keyAltNames array

An optional list of string alternate names used to reference a key. If a key is created with alternate names, then encryption may refer to the key by the unique alternate name instead of by _id.

Valeurs de retour

Returns the identifier of the new key as a MongoDB\BSON\Binary object with subtype 4 (UUID).

Erreurs / Exceptions

  • Lance une exception MongoDB\Driver\InvalidArgumentException lors d'une erreur survenue pendant l'analyse d'un argument.
  • Throws MongoDB\Driver\Exception\EncryptionException if an error occurs while creating the data key

Historique

Version Description
PECL mongodb 1.10.0 Azure and GCP are now supported as KMS providers for client-side encryption.