Module spring.data.mongodb
Annotation Interface Encrypted
Encrypted provides data required for MongoDB Client Side Field Level Encryption that is applied during schema
resolution. It can be applied on top level (typically those types annotated with Document to provide the
encryptMetadata.
@Document
@Encrypted(keyId = "4fPYFM9qSgyRAjgQ2u+IMQ==")
public class Patient {
private ObjectId id;
private String name;
@Field("publisher_ac")
@DocumentReference(lookup = "{ 'acronym' : ?#{#target} }") private Publisher publisher;
}
"encryptMetadata": {
"keyId": [
{
"$binary": {
"base64": "4fPYFM9qSgyRAjgQ2u+IMQ==",
"subType": "04"
}
}
]
}
On property level it is used for deriving field specific encrypt settings.
public class Patient {
private ObjectId id;
private String name;
@Encrypted(keyId = "4fPYFM9qSgyRAjgQ2u+IMQ==", algorithm = "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic")
private String ssn;
}
"ssn" : {
"encrypt": {
"keyId": [
{
"$binary": {
"base64": "4fPYFM9qSgyRAjgQ2u+IMQ==",
"subType": "04"
}
}
],
"algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
"bsonType" : "string"
}
}
- Since:
- 3.3
- Author:
- Christoph Strobl
-
Optional Element Summary
Optional Elements
-
Element Details
-
keyId
String[] keyIdGet thekeyIdto use. The value must resolve to either the UUID representation of the key or a base64 encoded value representing the UUID value.
OnElementType.TYPElevel thekeyId()can be left empty if explicitly set for fields.
OnElementType.FIELDlevel thekeyId()can be left empty if inherited from encryptMetadata.- Returns:
- the key id to use. May contain a parsable
expression. In this case the#targetvariable will hold the target element name.
- Default:
- {}
-
algorithm
String algorithmSet the algorithm to use.
OnElementType.TYPElevel thealgorithm()can be left empty if explicitly set for fields.
OnElementType.FIELDlevel thealgorithm()can be left empty if inherited from encryptMetadata.- Returns:
- the encryption algorithm.
- See Also:
- Default:
- ""
-