MotorClientEncryption
¶
- class motor.motor_tornado.MotorClientEncryption(kms_providers, key_vault_namespace, key_vault_client, codec_options, io_loop=None, kms_tls_options=None)¶
Explicit client-side field level encryption.
Takes the same constructor arguments as
pymongo.encryption.ClientEncryption
, as well as:- Parameters
io_loop (optional): Special event loop instance to use instead of default.
- coroutine add_key_alt_name(id: bson.binary.Binary, key_alt_name: str) Any ¶
Add
key_alt_name
to the set of alternate names in the key document with UUIDkey_id
.- Parameters
id
: The UUID of a key a which must be aBinary
with subtype 4 (UUID_SUBTYPE
).key_alt_name
: The key alternate name to add.
- Returns
The previous version of the key document.
- coroutine close() None ¶
Release resources.
Note that using this class in a with-statement will automatically call
close()
:async with AsyncIOMotorClientEncryption(...) as client_encryption: encrypted = await client_encryption.encrypt(value, ...) decrypted = await client_encryption.decrypt(encrypted)
- coroutine create_data_key(kms_provider: str, master_key: Optional[Mapping[str, Any]] = None, key_alt_names: Optional[Sequence[str]] = None, key_material: Optional[bytes] = None) bson.binary.Binary ¶
Create and insert a new data key into the key vault collection.
Takes the same arguments as
pymongo.encryption.ClientEncryption.create_data_key
, with only the following slight difference using async syntax. The following example shows creating and referring to a data key by alternate name:await client_encryption.create_data_key("local", keyAltNames=["name1"]) # reference the key with the alternate name await client_encryption.encrypt("457-55-5462", keyAltName="name1", algorithm=Algorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Random)
- coroutine decrypt(value: bson.binary.Binary) Any ¶
Decrypt an encrypted value.
- Parameters
value (Binary): The encrypted value, a
Binary
with subtype 6.
- Returns
The decrypted BSON value.
- coroutine delete_key(id: bson.binary.Binary) pymongo.results.DeleteResult ¶
Delete a key document in the key vault collection that has the given
key_id
.- Parameters
id (Binary): The UUID of a key a which must be a
Binary
with subtype 4 (UUID_SUBTYPE
).
- Returns
The delete result.
- coroutine encrypt(value: Any, algorithm: str, key_id: Optional[bson.binary.Binary] = None, key_alt_name: Optional[str] = None, query_type: Optional[str] = None, contention_factor: Optional[int] = None) bson.binary.Binary ¶
Encrypt a BSON value with a given key and algorithm.
Note that exactly one of
key_id
orkey_alt_name
must be provided.- Parameters
value: The BSON value to encrypt.
algorithm (string): The encryption algorithm to use. See
Algorithm
for some valid options.key_id: Identifies a data key by
_id
which must be aBinary
with subtype 4 (UUID_SUBTYPE
).key_alt_name: Identifies a key vault document by ‘keyAltName’.
query_type (str): (BETA) The query type to execute. See
QueryType
for valid options.contention_factor (int): (BETA) The contention factor to use when the algorithm is
Algorithm.INDEXED
. An integer value must be given when theAlgorithm.INDEXED
algorithm is used.
Note
query_type and contention_factor are part of the Queryable Encryption beta. Backwards-breaking changes may be made before the final release.
- Returns
The encrypted value, a
Binary
with subtype 6.
- coroutine get_key(id: bson.binary.Binary) Optional[bson.raw_bson.RawBSONDocument] ¶
Get a data key by id.
- Parameters
id (Binary): The UUID of a key a which must be a
Binary
with subtype 4 (UUID_SUBTYPE
).
- Returns
The key document.
- coroutine get_key_by_alt_name(key_alt_name: str) Optional[bson.raw_bson.RawBSONDocument] ¶
Get a key document in the key vault collection that has the given
key_alt_name
.- Parameters
key_alt_name: (str): The key alternate name of the key to get.
- Returns
The key document.
- coroutine remove_key_alt_name(id: bson.binary.Binary, key_alt_name: str) Optional[bson.raw_bson.RawBSONDocument] ¶
Remove
key_alt_name
from the set of keyAltNames in the key document with UUIDid
.Also removes the
keyAltNames
field from the key document if it would otherwise be empty.- Parameters
id
: The UUID of a key a which must be aBinary
with subtype 4 (UUID_SUBTYPE
).key_alt_name
: The key alternate name to remove.
- Returns
Returns the previous version of the key document.
- coroutine rewrap_many_data_key(filter: Mapping[str, Any], provider: Optional[str] = None, master_key: Optional[Mapping[str, Any]] = None) pymongo.encryption.RewrapManyDataKeyResult ¶
Decrypts and encrypts all matching data keys in the key vault with a possibly new master_key value.
- Parameters
filter: A document used to filter the data keys.
provider: The new KMS provider to use to encrypt the data keys, or
None
to use the current KMS provider(s).master_key
: The master key fields corresponding to the new KMS provider whenprovider
is notNone
.
- Returns
A
RewrapManyDataKeyResult
.