MongoDB\Driver\Manager::createClientEncryption

(mongodb >=1.7.0)

MongoDB\Driver\Manager::createClientEncryption — Create a new ClientEncryption object

Description

finalpublicMongoDB\Driver\Manager::createClientEncryption(array$options): MongoDB\Driver\ClientEncryption

Constructs a new MongoDB\Driver\ClientEncryption object with the specified options.

Parameters

options

**options**
Option	Type	Description
keyVaultClient	MongoDB\Driver\Manager	The Manager used to route data key queries to a separate MongoDB cluster. By default, the current Manager and cluster is used.
keyVaultNamespace	string	A fully qualified namespace (e.g. `"databaseName.collectionName"`) denoting the collection that contains all data keys used for encryption and decryption. This option is required.
kmsProviders	array	A document containing the configuration for one or more KMS providers, which are used to encrypt data keys. Supported providers include `"aws"`, `"azure"`, `"gcp"`, `"kmip"`, and `"local"` and at least one must be specified. If an empty document is specified for `"aws"`, `"azure"`, or `"gcp"`, the driver will attempt to configure the provider using » Automatic Credentials. The format for `"aws"` is as follows: aws: { accessKeyId: <string>, secretAccessKey: <string>, sessionToken: <optional string> } The format for `"azure"` is as follows: azure: { tenantId: <string>, clientId: <string>, clientSecret: <string>, identityPlatformEndpoint: <optional string>} The format for `"gcp"` is as follows: gcp: { email: <string>, privateKey: <base64 string>\|<MongoDB\BSON\Binary>, endpoint: <optional string>} The format for `"kmip"` is as follows: kmip: { endpoint: <string> } The format for `"local"` is as follows: local: { key: <base64 string>\|<MongoDB\BSON\Binary> }
tlsOptions	array	A document containing the TLS configuration for one or more KMS providers. Supported providers include `"aws"`, `"azure"`, `"gcp"`, and `"kmip"`. All providers support the following options: <provider>: { tlsCaFile: <optional string>, tlsCertificateKeyFile: <optional string>, tlsCertificateKeyFilePassword: <optional string>, tlsDisableOCSPEndpointCheck: <optional bool> }

Return Values

Returns a new MongoDB\Driver\ClientEncryption instance.

Errors/Exceptions

Throws MongoDB\Driver\Exception\InvalidArgumentException on argument parsing errors.
Throws MongoDB\Driver\Exception\RuntimeException if the extension was compiled without libmongocrypt support

Changelog

Version	Description
PECL mongodb 1.16.0	The AWS KMS provider for client-side encryption now accepts a `"sessionToken"` option, which can be used to authenticate with temporary AWS credentials. Added `"tlsDisableOCSPEndpointCheck"` to the `"tlsOptions"` option. If an empty document is specified for the `"azure"` or `"gcp"` KMS provider, the driver will attempt to configure the provider using » Automatic Credentials.
PECL mongodb 1.15.0	If an empty document is specified for the `"aws"` KMS provider, the driver will attempt to configure the provider using » Automatic Credentials.
PECL mongodb 1.12.0	KMIP is now supported as a KMS provider for client-side encryption and may be configured in the `"kmsProviders"` option. Added the `"tlsOptions"` option.
PECL mongodb 1.10.0	Azure and GCP are now supported as KMS providers for client-side encryption and may be configured in the `"kmsProviders"` option. Base64-encoded strings are now accepted as an alternative to MongoDB\BSON\Binary for options within `"kmsProviders"`.