(mongodb >=1.7.0)

MongoDB\Driver\Manager::createClientEncryptionCreate a new ClientEncryption object


final public MongoDB\Driver\Manager::createClientEncryption(array $options): MongoDB\Driver\ClientEncryption

Constructs a new MongoDB\Driver\ClientEncryption object with the specified options.



Option Type Description
keyVaultClient MongoDB\Driver\Manager The Manager used to route data key queries to a separate MongoDB cluster. By default, the current Manager and cluster is used.
keyVaultNamespace string A fully qualified namespace (e.g. "databaseName.collectionName") denoting the collection that contains all data keys used for encryption and decryption.
kmsProviders array

A document containing the configuration for one or more KMS providers, which are used to encrypt data keys. Currently "aws", "azure", "gcp", and "local" are supported and at least one must be specified.

The format for "aws" is as follows:

aws: {
    accessKeyId: <string>,
    secretAccessKey: <string>

The format for "azure" is as follows:

azure: {
    tenantId: <string>,
    clientId: <string>,
    clientSecret: <string>,
    identityPlatformEndpoint: <optional string> // Defaults to ""


The format for "gcp" is as follows:

aws: {
    email: <string>,
    privateKey: <base64 string>|<MongoDB\BSON\Binary>,
    endpoint: <optional string> // Defaults to ""


The format for "local" is as follows:

local: {
    // 96-byte master key used to encrypt/decrypt data keys
    key: <base64 string>|<MongoDB\BSON\Binary>

Return Values

Returns a new MongoDB\Driver\ClientEncryption instance.



Version Description
PECL mongodb 1.10.0 Azure and GCP are now supported as KMS providers for client-side encryption and may be configured in the "kmsProviders" option. Base64-encoded strings are now accepted as an alternative to MongoDB\BSON\Binary for options within "kmsProviders".

add a note add a note

User Contributed Notes

There are no user contributed notes for this page.
To Top