(mongodb >=1.14.0)

MongoDB\Driver\ClientEncryption::__constructCreate a new ClientEncryption object


final public MongoDB\Driver\ClientEncryption::__construct(array $options)

Constructs a new MongoDB\Driver\ClientEncryption object with the specified options.



Option Type Description
keyVaultClient MongoDB\Driver\Manager The Manager used to route data key queries. This option is required (unlike with MongoDB\Driver\Manager::createClientEncryption()).
keyVaultNamespace string A fully qualified namespace (e.g. "databaseName.collectionName") denoting the collection that contains all data keys used for encryption and decryption. This option is required.
kmsProviders array

A document containing the configuration for one or more KMS providers, which are used to encrypt data keys. Supported providers include "aws", "azure", "gcp", "kmip", and "local" and at least one must be specified.

The format for "aws" is as follows:

aws: {
    accessKeyId: <string>,
    secretAccessKey: <string>,
    sessionToken: <optional string>

The format for "azure" is as follows:

azure: {
    tenantId: <string>,
    clientId: <string>,
    clientSecret: <string>,
    identityPlatformEndpoint: <optional string> // Defaults to ""

The format for "gcp" is as follows:

gcp: {
    email: <string>,
    privateKey: <base64 string>|<MongoDB\BSON\Binary>,
    endpoint: <optional string> // Defaults to ""

The format for "kmip" is as follows:

kmip: {
    endpoint: <string>

The format for "local" is as follows:

local: {
    // 96-byte master key used to encrypt/decrypt data keys
    key: <base64 string>|<MongoDB\BSON\Binary>
tlsOptions array

A document containing the TLS configuration for one or more KMS providers. Supported providers include "aws", "azure", "gcp", and "kmip". All providers support the following options:

<provider>: {
    tlsCaFile: <optional string>,
    tlsCertificateKeyFile: <optional string>,
    tlsCertificateKeyFilePassword: <optional string>,
    tlsDisableOCSPEndpointCheck: <optional bool>



Version Description
PECL mongodb 1.16.0

The AWS KMS provider for client-side encryption now accepts a "sessionToken" option, which can be used to authenticate with temporary AWS credentials.

The "tlsOptions" option now supports the tlsDisableOCSPEndpointCheck TLS option.

See Also

add a note

User Contributed Notes

There are no user contributed notes for this page.
To Top