DOCSP-14691 add shell csfle section

Author: andf-mongodb

snooty.toml

@@ -3,7 +3,7 @@ title = "MongoDB Shell"
 
 intersphinx = ["https://docs.mongodb.com/manual/objects.inv"]
 
-toc_landing_pages = ["/run-commands", "/crud"]
+toc_landing_pages = ["/run-commands", "/crud", "/field-level-encryption"]
 
 [constants]
 

source/changelog.txt

@@ -26,7 +26,7 @@ v0.8.0
 
 New features in this release:
 
-- Support for :ref:`client-side field level encryption <fle-methods-mongosh>`.
+- Support for :doc:`field-level-encryption`.
 
 Bug fixes in this release:
 
@@ -36,7 +36,7 @@ Bug fixes in this release:
 - Pressing the backspace key in the password prompt no longer adds an
   asterisk, and now behaves as expected.
 
-- Running :method:`~UUID()` without a value now generates a random UUID.
+- Running ``UUID()`` without a value now generates a random UUID.
 
 v0.7.7
 ------

source/field-level-encryption.txt

@@ -0,0 +1,67 @@
+.. _mdb-shell-csfle:
+
+==================================
+Client-Side Field Level Encryption
+==================================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+When working with a `MongoDB Enterprise
+<http://www.mongodb.com/products/mongodb-enterprise-advanced?jmp=docs>`__
+or MongoDB Atlas cluster, you can use ``mongosh`` to configure
+:manual:`Client-Side Field Level Encryption
+</core/security-client-side-encryption>` and connect with encryption
+support. Client-side field level encryption uses data encryption keys
+for supporting encryption and decryption of field values, and stores
+this encryption key material in a Key Management Service (KMS).
+
+``mongosh`` supports the following KMS providers for use with
+client-side field level encryption:
+
+- Amazon Web Services KMS
+- Azure Key Vault
+- Google Cloud Platform KMS
+- Locally Managed Keyfile
+
+Create a Data Encryption Key
+----------------------------
+
+The following procedure uses ``mongosh`` to create a data encryption key
+for use with client-side field level encryption and decryption.
+
+Use the tabs below to select the :abbr:`KMS (Key Management Service)`
+appropriate for your deployment:
+
+.. tabs::
+
+   .. tab:: Amazon KMS
+      :tabid: aws-kms
+
+      .. include:: /includes/steps/aws-kms.rst
+
+   .. tab:: Azure Key Vault
+      :tabid: azure-vault
+      
+      .. include:: /includes/steps/azure-vault.rst
+
+   .. tab:: Google Cloud KMS
+      :tabid: gcp-kms
+
+      .. include:: /includes/steps/gcp-kms.rst
+
+   .. tab:: Local Keyfile
+      :tabid: local-keyfile
+
+      .. include:: /includes/steps/local-keyfile.rst
+
+.. seealso::
+
+   - :ref:`List of field level encryption shell methods <fle-methods-mongosh>`
+   - :manual:`Client-side field level encryption reference
+     </core/security-client-side-encryption>`

source/includes/fact-getkey-options.rst

@@ -0,0 +1,9 @@
+If successful, :method:`createKey() <KeyVault.createKey()>` returns
+the :abbr:`UUID (Universally unique identifier)` of the new data
+encryption key. To retrieve the new data encryption key document from
+the key vault, either:
+
+- Use :method:`getKey() <KeyVault.getKey()>` to retrieve the created
+  key by its :abbr:`UUID (Universally unique identifier)`, or
+- Use :method:`getKeyByAltName() <KeyVault.getKeyByAltName()>`  to
+  retrieve the key by its alternate name, if specified.

source/includes/steps-aws-kms.yaml

@@ -0,0 +1,104 @@
+---
+title: "Launch the ``mongosh`` Shell."
+ref: launch-mongosh-shell
+level: 4
+content: |
+
+  Create a ``mongosh`` session without connecting to a running database
+  by using the :option:`--nodb` option:
+
+  .. code-block:: javascript
+
+     mongosh --nodb
+
+---
+title: "Create the Encryption Configuration."
+ref: create-encryption-configuration
+level: 4
+content: |
+
+  Configuring client-side field level encryption for the AWS KMS
+  requires an AWS Access Key ID and its associated Secret Access Key.
+  The AWS Access Key must correspond to an IAM user with all *List* and
+  *Read* permissions for the KMS service.
+  
+  In ``mongosh``, create a new
+  :ref:`ClientSideFieldLevelEncryptionOptions` variable for storing the
+  client-side field level encryption configuration, which contains these
+  credentials:
+
+  .. code-block:: javascript
+
+     var ClientSideFieldLevelEncryptionOptions = {
+       "keyVaultNamespace" : "encryption.__dataKeys",
+       "kmsProviders" : {
+         "aws" : {
+           "accessKeyId" : "YOUR_AWS_ACCESS_KEY_ID",
+           "secretAccessKey" : "YOUR_AWS_SECRET_ACCESS_KEY"
+         }
+       }
+     }
+
+  Fill in the values for ``YOUR_AWS_ACCESS_KEY_ID`` and
+  ``YOUR_AWS_SECRET_ACCESS_KEY`` as appropriate.
+
+---
+title: "Connect with Encryption Support."
+ref: connect-with-encryption
+level: 4
+content: |
+
+  In ``mongosh``, use the :method:`Mongo()<Mongo()>` constructor to
+  establish a database connection to the target cluster. Specify the
+  :ref:`ClientSideFieldLevelEncryptionOptions` document as the second
+  parameter to the :method:`Mongo()<Mongo()>` constructor to configure
+  the connection for client-side field level encryption:
+
+  .. code-block:: javascript
+
+     csfleDatabaseConnection = Mongo(
+       "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
+       ClientSideFieldLevelEncryptionOptions
+     )
+
+  Replace the ``replaceMe.example.net`` :ref:`URI <mongodb-uri>` with
+  the connection string for the target cluster.
+
+---
+title: "Create the Key Vault Object."
+ref: create-keyvault-object
+level: 4
+content: |
+
+  Create the ``keyVault`` object using the :method:`getKeyVault()
+  <getKeyVault()>` shell method:
+
+  .. code-block:: javascript
+
+     keyVault = csfleDatabaseConnection.getKeyVault();
+---
+title: "Create the Encryption Key."
+ref: create-encryption-key
+level: 4
+content: |
+
+  Create the data encryption key using the
+  :method:`createKey() <KeyVault.createKey()>` shell method:
+
+  .. code-block:: javascript
+
+     keyVault.createKey(
+       "aws",
+       { region: "regionname", key: "awsarn" }
+     )
+
+  Where:
+  
+  - ``regionname`` is the AWS region you are connecting to, such as
+    ``us-west-2``
+  - ``awsarn`` is the `Amazon Resource Name (ARN)
+    <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html>`__
+    to the AWS customer master key (CMK).
+
+  .. include:: /includes/fact-getkey-options.rst
+...

source/includes/steps-azure-vault.yaml

@@ -0,0 +1,101 @@
+---
+title: "Launch the ``mongosh`` Shell."
+ref: launch-mongosh-shell
+level: 4
+content: |
+
+  Create a ``mongosh`` session without connecting to a running database
+  by using the :option:`--nodb` option:
+
+  .. code-block:: javascript
+
+     mongosh --nodb
+
+---
+title: "Create the Encryption Configuration."
+ref: create-encryption-configuration
+level: 4
+content: |
+
+  Configuring client-side field level encryption for Azure Key Vault
+  requires a valid Tenant ID, Client ID, and Client Secret.
+  
+  In ``mongosh``, create a new
+  :ref:`ClientSideFieldLevelEncryptionOptions` variable for storing the
+  client-side field level encryption configuration, which contains these
+  credentials:
+
+  .. code-block:: javascript
+
+     var ClientSideFieldLevelEncryptionOptions = {
+       "keyVaultNamespace" : "encryption.__dataKeys",
+       "kmsProviders" : {
+         "azure" : {
+           "tenantId" : "YOUR_TENANT_ID",
+           "clientId" : "YOUR_CLIENT_ID",
+           "clientSecret" : "YOUR_CLIENT_SECRET"
+         }
+       }
+     }
+
+  Fill in the values for ``YOUR_TENANT_ID``, ``YOUR_CLIENT_ID``, and
+  ``YOUR_CLIENT_SECRET`` as appropriate.
+
+---
+title: "Connect with Encryption Support."
+ref: connect-with-encryption
+level: 4
+content: |
+
+  In ``mongosh``, use the :method:`Mongo()<Mongo()>` constructor to
+  establish a database connection to the target cluster. Specify the
+  :ref:`ClientSideFieldLevelEncryptionOptions` document as the second
+  parameter to the :method:`Mongo()<Mongo()>` constructor to configure
+  the connection for client-side field level encryption:
+
+  .. code-block:: javascript
+
+     csfleDatabaseConnection = Mongo(
+       "mongodb://replaceMe.example.net:27017/?replicaSet=myMongoCluster",
+       ClientSideFieldLevelEncryptionOptions
+     )
+
+  Replace the ``replaceMe.example.net`` :ref:`URI <mongodb-uri>` with
+  the connection string for the target cluster.
+
+---
+title: "Create the Key Vault Object."
+ref: create-keyvault-object
+level: 4
+content: |
+
+  Create the ``keyVault`` object using the :method:`getKeyVault()
+  <getKeyVault()>` shell method:
+
+  .. code-block:: javascript
+
+     keyVault = csfleDatabaseConnection.getKeyVault();
+---
+title: "Create the Encryption Key."
+ref: create-encryption-key
+level: 4
+content: |
+
+  Create the data encryption key using the
+  :method:`createKey() <KeyVault.createKey()>` shell method:
+
+  .. code-block:: javascript
+
+     keyVault.createKey(
+       "azure",
+       { keyName: "keyvaultname", keyVaultEndpoint: "endpointname" }
+     )
+
+  Where:
+  
+  - ``keyvaultname`` is the name of your `Azure Key Vault
+    <https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name>`__
+  - ``endpointname`` is the name of the Key Vault Endpoint to use
+
+  .. include:: /includes/fact-getkey-options.rst
+...