Created
January 23, 2020 15:10
-
-
Save sarjarapu/0e83e4b8dcb22c576354f7d7ff749439 to your computer and use it in GitHub Desktop.
A JavaScript to illustrate insert/find operations while using MongoDB client-side field level encryption feature.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Deterministic algorithm: Always outputs the same encrypted value for a given combo of plain text and an encryption key. When you need to search on encrypted text match you must be using the Deterministic algorithms. | |
const SSN_ENCRYPTION_ALGORITHM = "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"; | |
// Random algorithm: Always outputs different encrypted value for a given combo of plain text and an encryption key. Although the encrypted value is different, decrypting always yields the same plain text. Because the encrypted text is random, you should not be using them on searchable fields | |
const MOBILE_ENCRYPTION_ALGORITHM = "AEAD_AES_256_CBC_HMAC_SHA_512-Random"; | |
// Create a patient document on csfleDB object. Manually encrypt the texts and insert into DB | |
// Notice that encrypt method is called once per each field, but insert operation is done as a whole | |
csfleDB.getCollection("patients").insert({ | |
"_id": 1, | |
"medRecNum": 1, | |
"firstName": "John", | |
"lastName": "Doe", | |
"ssn": csfleClient.encrypt(SSN_ENCRYPTION_KEY_UUID, "111-11-1111", SSN_ENCRYPTION_ALGORITHM), | |
"mobile": csfleClient.encrypt(MOBILE_ENCRYPTION_KEY_UUID, "111-111-1111", MOBILE_ENCRYPTION_ALGORITHM), | |
"comment": "John Doe's SSN/Phone are manually encrypted." | |
}); | |
// Find operation on the plainDB object - shows encrypted text (as stored in DB) | |
plainDB.getCollection("patients").findOne(); | |
/* | |
{ | |
"_id" : 1, | |
"medRecNum" : 1, | |
"firstName" : "John", | |
"lastName" : "Doe", | |
"ssn" : BinData(6,"AWE7iEZXVUV9my4XXm0O38sCAUEAEz28vlFT8UsIeLFYk7xvR9OKpbsmsEk72yDbVJDdHR7p6ctD2XbvUhORLVYbzS/D2GXtWcMwFacpmrS9HsP8IIGoDMIL2QYarQrKj9U="), | |
"mobile" : BinData(6,"AjtqXpdbrUKmnslCbIXOtZUCiQW9l+nhjldSPD1dtPE/qOAraomXcoSA8asUIUDXyLGHBzQYG5TAwJ8tNUCIErK7D4hl5fT9la96dyKQ/ueCYol6GUkaFtLKVSMKfu3DOhA="), | |
"comment" : "John Doe's SSN/Phone are manually encrypted." | |
} | |
*/ | |
// Find operation on the csfle DB object - shows plain text after decrypting it on client-side | |
csfleDB.getCollection("patients").findOne(); | |
/* | |
{ | |
"_id" : 1, | |
"medRecNum" : 1, | |
"firstName" : "John", | |
"lastName" : "Doe", | |
"ssn" : "111-11-1111", | |
"mobile" : "111-111-1111", | |
"comment" : "John Doe's SSN/Phone are manually encrypted." | |
} | |
*/ | |
// Find patient by SSN didn't return any data This is because the input filter is | |
// in plain text, where as the field in the database is stored with encrypted text | |
csfleDB.getCollection("patients").findOne({"ssn": "111-11-1111"}) | |
// null | |
// Find patient by sending the encrypted text of SSN returns the data. | |
const encryptedSSN = csfleClient.encrypt(SSN_ENCRYPTION_KEY_UUID, "111-11-1111", SSN_ENCRYPTION_ALGORITHM); | |
csfleDB.getCollection("patients").findOne({"ssn": encryptedSSN}) | |
/* | |
{ | |
"_id" : 1, | |
"medRecNum" : 1, | |
"firstName" : "John", | |
"lastName" : "Doe", | |
"ssn" : "111-11-1111", | |
"mobile" : "111-111-1111", | |
"comment" : "John Doe's SSN/Phone are manually encrypted." | |
} | |
*/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment