1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
"`csfle` is a small utility for testing the state machine with real data.\n"
"\n"
"To build `csfle`, ensure libmongoc is installed (in addition to libbson) and set the option -DENABLE_ONLINE_TESTS=ON when configuring with `cmake`.\n"
"\n"
"Options can also be provided through a config flag.\n"
"\n"
"```\n"
"Global options\n"
" --options_file <string>\n"
" Alternative way to pass all options.\n"
" --kms_providers_file <string>\n"
" Defaults to ~/.csfle/kms_providers.json\n"
" --mongocryptd_uri <string>\n"
" Defaults to 'mongodb://localhost:27020'.\n"
" --mongodb_uri <string>\n"
" Defaults to 'mongodb://localhost:27017'.\n"
" --mongodb_keyvault_uri <string>\n"
" Defaults to 'mongodb://localhost:27017'.\n"
" --keyvault_namespace <string>\n"
" Defaults to 'keyvault.datakeys'.\n"
" --schema_map_file <string> (optional)\n"
" Defaults to using remote schemas.\n"
" --trace <bool>\n"
" Defaults to false.\n"
" --tls_ca_file <string>\n"
" Set a custom CA to verify server certificates in TLS connections. If not set, uses system defaults. Useful for KMIP.\n"
" --tls_certificate_key_file <string>\n"
" The client certificate and private key. If not set, a client certificate is not sent in TLS connections. Useful for KMIP.\n"
"\n"
"csfle create_datakey\n"
" --kms_provider <string>\n"
" --key_alt_names <comma separated strings>\n"
" --key_material <base64 string>\n"
"\n"
" AWS options.\n"
" --aws_kek_region <string>\n"
" --aws_kek_key <string>\n"
" --aws_kek_endpoint <string>\n"
"\n"
" Azure options.\n"
" --azure_kek_keyvaultendpoint <string>\n"
" --azure_kek_keyname <string>\n"
" --azure_kek_keyversion <string> (optional)\n"
"\n"
" GCP options.\n"
" --gcp_kek_endpoint <string>\n"
" --gcp_kek_projectid <string>\n"
" --gcp_kek_location <string>\n"
" --gcp_kek_keyring <string>\n"
" --gcp_kek_keyname <string>\n"
" --gcp_kek_keyversion <string> (optional)\n"
"\n"
" KMIP options.\n"
" --kmip_kek_endpoint <string>\n"
" --kmip_kek_keyid <string>\n"
" --kmip_kek_delegated <bool>\n"
"\n"
"csfle auto_encrypt\n"
" --command <JSON string> or --command_file <string>\n"
" --db <string>\n"
"\n"
"csfle auto_decrypt\n"
" --document <JSON string> or --document_file <string>\n"
"\n"
"csfle explicit_encrypt\n"
" --value <JSON string> Document must have form { 'v': ... }\n"
" --key_id <base64 string>\n"
" --key_alt_name <string>\n"
" --algorithm <string>\n"
"\n"
"csfle explicit_decrypt\n"
" --value <JSON string> Document must have form { 'v': ... }\n"
"```\n"
"\n"
"\n"
"The KMS providers file must be extended canonical JSON of the following form.\n"
"\n"
"```\n"
"{\n"
" 'aws': {\n"
" 'accessKeyId': <string>,\n"
" 'secretAccessKey': <string>\n"
" }\n"
"\n"
" 'local': {\n"
" 'key': <binary of 96 bytes>\n"
" }\n"
"}\n"
"```\n"
"\n"
"No KMS providers are required.\n"
"\n"
"\n"
"## Examples\n"
"\n"
"```\n"
"csfle create_datakey --kms_provider aws --aws_kek_region us-east-1 --aws_kek_key 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0'\n"
"\n"
"csfle auto_encrypt --command '{'insert': 'coll', 'documents': [{'ssn': '123'}]}' --db 'db' --schema_map_file ./.csfle/schema_map.json\n"
"\n"
"csfle auto_decrypt --document '{ 'insert' : 'coll', 'documents' : [ { 'ssn' : { '$binary' : { 'base64': 'ARG+PK8ud0RZlDIzKwQmFoMCOuSIPyrfYleSqMZRXgaPCQOAurv0LTLNL6Tn/G7TuVOyf/Qv3j6VxSxCQEeu/yO7vv/UDE5niDE0itjOqjmf5Q==', 'subType' : '06' } } } ] }'\n"
"\n"
"csfle explicit_encrypt --key_id 'Eb48ry53RFmUMjMrBCYWgw==' --value '{'v': 'test'}' --algorithm 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'\n"
"```\n"
|
