MongoDB Field Level Encryption (FLE) Tutorial/Demo
Demo MongoDB Client-Side Field Level Encryption. Uses Golang + Ubuntu in a Docker container.
Run
Note: The Dockerfile contains all environment dependencies to run this demo.
-
Add values to required variables specified in env.list.example
and rename the file to env.list
- Need to have a MongoDB deployment running, if not, delopoy a free one in Atlas and grab the connection string
- Need to have AWS KMS configured
-
Run the following:
docker run --rm -it -p 8888:8888 -p 27020:27020 --env-file env.list --hostname fle nullstring/mongo-fle-demo
foobar
document
{
"_id": "string",
"name":"string",
"message": "string"
}
Note: message
is encrypted/decrypted if inserted/read via /foo else as-is.
Endpoints
-
POST /foo
-- Inserts a valid foobar
document to the tutorial.foobar
namespace and encrypts the message
field.
-
GET /foo/{id}
-- Reads a foobar
document with matching id
and attempts to decrypt the message
field.
-
POST /bar
-- Inserts a valid foobar
document to the tutorial.foobar
namespace. (sans encryption)
-
GET /bar/{id}
-- Reads a foobar
document with matching id
as-is. (sans decryption)
Test
Import Postman collection.
For debugging/ad-hoc testing:
git clone https://github.com/desteves/fle.git
cd fle
docker run --rm -it -v $PWD:/go/src/github.com/desteves/fle --entrypoint /bin/bash -p 8777:8888 -p 27020:27020 --env-file env.list --hostname fle-testing nullstring/mongo-fle-demo
go build -tags cse main.go
./main
References