DOCSP-22742 In-Use Encryption updates (#417)

* DOCSP-22744 add QE to create collection/database procedures (#413)

* DOCSP-22744 add QE to create collection/database procedures

* DOCSP-22744 made collection options into an include

* DOCSP-22743 In-Use Encryption Procedure (#411)

* DOCSP-22743 in-use encryption procedure

* DOCSP-22743 in-use encryption procedure

* DOCSP-22743 fixing link

* DOCSP-22743 fixing link

* DOCSP-22743 fixing link

* DOCSP-22743 last step

* DOCSP-22743 correcting links and table

* DOCSP-22743 fixing links

* DOCSP-22743 fixing links

* DOCSP-22743 fixing links

* DOCSP-22743 fixing links

* DOCSP-22743 fixing links

* DOCSP-22743 fixing links

* DOCSP-22743 removing note and adding to paragraph

* DOCSP-22743 correcting enterprise blurb

* DOCSP-22743 correcting enterprise blurb

* DOCSP-22743 fixed required columns

* DOCSP-22743 fix columns

* DOCSP-22743 single node replica set

Co-authored-by: Jocelyn Mendez <[email protected]>

* DOCSP-22748 In-Use Encryption Tutorial  (#415)

* DOCSP-22748 QE tutorial

* DOCSP-22748 fix typo

* DOCSP-22748 rewording

* DOCSP-22748 nit change

* DOCSP-22748 add note regarding CSFLE

* DOCSP-22748 removing note

* DOCSP-22747 Add Queryable Encryption to Encrypted Fields section (#414)

* DOCSP-22747 add queryable encryption to encrypted fields section

* DOCSP-22747 QE tutorial

* DOCSP-22747 QE tutorial

* DOCSP-22747 fixing screenshot

* DOCSP-22747 fixing link and typos

* DOCSP-22747 add banner to page

* DOCSP-22747 removing changes not for this branch

* DOCSP-22747 rewording

* DOCSP-22747 reorganized order of info

* DOCSP-22747 changing to in-use encryption

* DOCSP-22742 changing title for consistency

* DOCSP-22742 add banner to tutorial page

* DOCSP-22742 nit changes

* DOCSP-22742 nit changes

Co-authored-by: Jocelyn Mendez <[email protected]>

Author: jocelyn-mendez1

snooty.toml

@@ -14,6 +14,21 @@ toc_landing_pages = ["/install", "/connect", "/instance", "/query/filter", "/que
 download-page = "`downloads page <https://www.mongodb.com/download-center/compass?tck=docs_compass>`__"
 current-version = "1.32.3"
 
+[[banners]]
+targets = [
+    "connect/in-use-encryption.txt",
+    "in-use-encryption-tutorial.txt",
+]
+
+variant = "danger"
+value = """
+    Queryable Encryption is in Public Preview and available for \
+    evaluation purposes. Public Preview is not recommended for \
+    production deployments as breaking changes may be introduced. \
+    To learn more about the Preview please see the \
+    `Queryable Encryption Preview <https://www.mongodb.com/blog/post/mongodb-releases-queryable-encryption-preview/>`__ \
+    blog post.
+    """
 
 [substitutions]
 compass = "MongoDB Compass"

source/connect.txt

@@ -99,13 +99,16 @@ The Advanced Connection Options provide additonal forms of connecting
   Learn how to connect deployments that require authentication.
 
 :doc:`/connect/tls-ssl-connection`
-  Learn how to connect deployments via TLS/SSL. 
+  Learn how to connect deployments using TLS/SSL. 
 
 :doc:`/connect/ssh-connection`
-  Learn how to connect deployments via an SSH tunnel.
+  Learn how to connect deployments using an SSH tunnel.
+
+:doc:`/connect/in-use-encryption`
+  Learn how to connect deployments using In-Use Encryption.
 
 :doc:`/connect/advanced-connection`
-  Learn about additional advanced connection options for your deployments.
+  Learn about additional advanced connection options for your deployments. 
 
 .. seealso::
 
@@ -118,6 +121,7 @@ The Advanced Connection Options provide additonal forms of connecting
    /connect/authentication-connection
    /connect/tls-ssl-connection
    /connect/ssh-connection
+   /connect/in-use-encryption
    /connect/advanced-connection
    /connect/required-access
    /connect/favorite-connections

source/connect/in-use-encryption.txt

@@ -0,0 +1,264 @@
+.. _in-use-encryption-tab:
+
+================================
+In-Use Encryption Connection Tab
+================================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+:guilabel:`In-Use Encryption` is an Enterprise/Atlas only feature. You need a 
+replica set or sharded cluster to use this connection option. Your replica set 
+can be a single node or larger. 
+
+The :guilabel:`In-Use Encryption` connection tab allows you to connect your
+deployments using :v6.0:`Queryable Encryption </core/queryable-encryption/>`.
+
+Procedure
+---------
+
+.. procedure::
+   :style: normal
+
+   .. step:: Click :guilabel:`Advanced Connection Options`.
+
+      .. figure:: /images/compass/advanced-connection-options.png
+         :figwidth: 690px
+         :alt: New Advanced Connection Options
+
+   .. step:: Click the :guilabel:`In-Use Encryption` tab.
+
+      .. procedure::
+         :style: connected
+
+         .. step:: Provide a :guilabel:`Key Vault Namespace`.
+
+            A :guilabel:`Key Vault Namespace` refers to a collection that 
+            contains all the data keys used for encryption and decryption. 
+
+            Specify a collection in which data encryption keys are stored in 
+            the format ``<db>.<collection>``. The non-official default 
+            database/collection for keyVault is ``encryption.__keyVault``.
+
+         .. step:: Select a :guilabel:`KMS Provider`.
+
+            You can select from the following Key Management Systems: 
+
+            - :ref:`Local KMS <local-kms>`
+            
+            - :ref:`AWS <aws-compass-encryption>`
+            
+            - :ref:`GCP <gcp-compass-encryption>`
+            
+            - :ref:`Azure <azure-compass-encryption>`
+            
+            - :ref:`KMIP <kmip-compass-encryption>`
+
+            .. _local-kms:
+
+            Local KMS
+            ~~~~~~~~~
+
+            You can locally manage your key as a KMS using the 
+            :v6.0:`Local KMS </core/queryable-encryption/fundamentals/kms-providers/#local-key-provider>`
+            option.  
+
+            Click :guilabel:`Generate Random Key` to generate a 96-byte long 
+            base64-encoded string. You need this key to access encrypted and 
+            decrypted data.
+
+            .. warning::
+
+               |compass-short| does not save KMS credentials by default. Copy 
+               and save the key in an external location.
+
+            .. _aws-compass-encryption:
+
+            AWS
+            ~~~
+
+            You can use :v6.0:`AWS </core/queryable-encryption/fundamentals/kms-providers/#amazon-web-services-kms>` 
+            to manage your keys.
+
+            Specify the following fields:
+
+            .. list-table::
+               :header-rows: 1 
+               :widths: 30 30 70
+
+               * - Field
+                 - Required 
+                 - Description 
+
+               * - Access Key Id 
+                 - Yes 
+                 - Value of your AWS access key Id.
+
+               * - Secret Access Key
+                 - Yes 
+                 - Value of your AWS secret key.
+
+               * - Session Token
+                 - No 
+                 - Value of your AWS session token. 
+               
+               * - Certificate Authority
+                 - No 
+                 - One or more certificate files from trusted Certificate 
+                   Authorities to validate the certificate provided by the deployment. 
+               
+               * - Client Certificate and Key
+                 - No 
+                 - Specifies the location of a local .pem file that contains 
+                   either the client's TLS/SSL X.509 certificate or the client's TLS/SSL 
+                   certificate and key.
+                
+               * - Client Key Password
+                 - No 
+                 - If the *Client Private Key* is protected with a password, 
+                   you must provide the password.
+
+            .. _gcp-compass-encryption:
+
+            GCP
+            ~~~
+
+            You can use :v6.0:`Google Cloud Services </core/queryable-encryption/fundamentals/kms-providers/#google-cloud-platform-kms>` to manage your keys.
+
+            Specify the following fields:
+
+            .. list-table::
+               :header-rows: 1 
+               :widths: 30 30 70
+
+               * - Field
+                 - Required 
+                 - Description 
+
+               * - Service Account Email
+                 - Yes 
+                 - The service account email to authenticate.
+
+               * - Private Key
+                 - Yes 
+                 - A base64-encoded private key.
+
+               * - Endpoint
+                 - No 
+                 - A host with an optional port.
+
+               * - Certificate Authority
+                 - No 
+                 - One or more certificate files from trusted Certificate 
+                   Authorities to validate the certificate provided by the deployment.
+               
+               * - Client Certificate and Key
+                 - No 
+                 - Specifies the location of a local .pem file that contains 
+                   either the client's TLS/SSL X.509 certificate or the client's TLS/SSL 
+                   certificate and key.
+                
+               * - Client Key Password
+                 - No 
+                 - If the *Client Private Key* is protected with a password, 
+                   you must provide the password.
+
+
+            .. _azure-compass-encryption:
+
+            Azure
+            ~~~~~
+
+            You can use :v6.0:`Azure Key Vault </core/queryable-encryption/fundamentals/kms-providers/#azure-key-vault>` 
+            to manage your keys.
+
+            Specify the following fields:
+
+            .. list-table::
+               :header-rows: 1 
+               :widths: 30 30 70
+
+               * - Field
+                 - Required 
+                 - Description 
+
+               * - Tenant Id 
+                 - Yes 
+                 - Identifies the organization for the account.
+
+               * - Client Id 
+                 - Yes 
+                 - Authenticates a registered application.
+
+               * - Client Secret
+                 - Yes
+                 - The client secret to authenticate a registered application.
+
+               * - Identity Platform Endpoint
+                 - Yes
+                 - A host with an optional port. 
+
+               * - Certificate Authority
+                 - No 
+                 - One or more certificate files from trusted Certificate 
+                   Authorities to validate the certificate provided by the deployment.
+               
+               * - Client Certificate and Key
+                 - No 
+                 - Specifies the location of a local .pem file that contains 
+                   either the client's TLS/SSL X.509 certificate or the client's TLS/SSL 
+                   certificate and key.
+
+               * - Client Key Password
+                 - No 
+                 - If the *Client Private Key* is protected with a password, 
+                   you must provide the password.  
+
+            .. _kmip-compass-encryption:
+
+            KMIP
+            ~~~~
+
+            You can use :v6.0:`KMIP </core/queryable-encryption/fundamentals/kms-providers/#kmip>` 
+            to manage your keys. 
+
+            .. list-table::
+               :header-rows: 1 
+               :widths: 30 30 70
+
+               * - Field
+                 - Required 
+                 - Description 
+
+               * - Endpoint
+                 - Yes 
+                 - The endpoint consists of a hostname and port separated by a colon.
+
+               * - Certificate Authority
+                 - No 
+                 - One or more certificate files from trusted Certificate 
+                   Authorities to validate the certificate provided by the deployment.
+
+               * - Client Certificate and Key
+                 - No 
+                 - Specifies the location of a local .pem file that contains 
+                   either the client's TLS/SSL X.509 certificate or the client's TLS/SSL 
+                   certificate and key.
+
+               * - Client Key Password
+                 - No 
+                 - If the *Client Private Key* is protected with a password, 
+                   you must provide the password.
+
+        .. step:: (Optional) Specify an EncryptedFieldsMap
+
+            Add an optional client-side EncryptedFieldsMap for enhanced security.
+
+            For more information, see :v6.0:`Fields for Encryption </core/queryable-encryption/fundamentals/encrypt-and-query/#std-label-qe-fundamentals-encrypt-query>`.
+
+   .. step::  Click Connect.

source/documents/view.txt

@@ -184,11 +184,15 @@ Encrypted Fields
          :figwidth: 696px
          :alt: Encrypted field in list view
 
+      .. include:: /includes/fact-qe-description.rst
+
    .. tab:: JSON View
       :tabid: json
 
       .. include:: /includes/fact-fle-description.rst
 
+      .. include:: /includes/fact-qe-description.rst
+
    .. tab:: Table View
       :tabid: table-view
 
@@ -197,3 +201,5 @@ Encrypted Fields
       .. figure:: /images/compass/encrypted-fields-table.png
          :figwidth: 696px
          :alt: Encrypted field in table view
+
+      .. include:: /includes/fact-qe-description.rst