This project is a template for a Java Spring Boot application with MongoDB Client-Side Field Level Encryption using Spring Data MongoDB.
For more information about this repository, read the associated blog post.
The goal was to provide reusable classes and methods to easily implement MongoDB CSFLE in an existing Java Spring Boot application.
Here are a few features in this repository:
Update the mongodb.properties with your MongoDB URIs and MongoDB Automatic Encryption Shared library path.
For Linux and macOS.
./mvnw spring-boot:run
For Windows.
mvnw.cmd spring-boot:run
You can create a new cluster on MongoDB Atlas or, for testing and local development purposes only, you can create an ephemeral local single node replica set with the following command:
docker run --rm -d -p 27017:27017 -h $(hostname) --name mongo mongo:7.0.2 --replSet=RS && \
sleep 5 && \
docker exec mongo mongosh --quiet --eval "rs.initiate();"
Note: When you are using MongoDB Client-Side Field Level Encryption, you have the opportunity to store the data and the keys in two separate clusters in order to manage the keys independently of the data. You can choose to do so to have a different backup retention policy for your two clusters (interesting for GDPR Article 17 "Right to erasure" for instance). For more information, see Client-Side Field Level Encryption.
Make sure to download and extract the shared library in the folder of your choice.
crypt.shared.lib.path=/home/polux/Software/mongo_crypt_shared_v1-linux-x86_64-enterprise-debian11-7.0.2/lib/mongo_crypt_v1.so
Create a person
document:
curl -X POST http://localhost:8080/person \
-H 'Content-Type: application/json' \
-d '{
"first_name": "John",
"last_name": "Doe",
"ssn": "123-45-6789",
"blood_type": "A+"
}'
Find all the persons in the database. Note that the decryption is done automatically:
curl http://localhost:8080/persons
Find one person by SSN in the database. Note that the encryption of the SSN (for the search) is done automatically. Same for the decryption:
curl http://localhost:8080/person/ssn/123-45-6789
Read the encrypted data in the persons
collection:
mongosh "mongodb://localhost/mydb" --quiet --eval "db.persons.find()"
Result in the persons
collection:
[
{
_id: ObjectId("6537e9859f1b170d4cd25bee"),
firstName: 'John',
lastName: 'Doe',
ssn: Binary.createFromBase64("AflGzaz/YUj6m2aENIoB50MCn1rhDllb79H17xjkUMK2obL7i038eANieCC/nO7AcaPBtpOdtqqPEvNdd9VgnC6l9QaLEIC/5w+CYPujkNxFIA37PrsqMlDeL3AsMuAgTZg=", 6),
bloodType: Binary.createFromBase64("AvlGzaz/YUj6m2aENIoB50MCaHTxjCBlPZIck2gstfXB6yFfJ0KISjJJE24k3LXDoTv09GH+cwq+u6ApBuDU5OBkRe/6U8nPRKKcc5nirBLIzg==", 6),
_class: 'com.mongodb.quickstart.javaspringbootcsfle.model.PersonEntity'
}
]
Create a company
document:
curl -X POST http://localhost:8080/company \
-H 'Content-Type: application/json' \
-d '{
"name": "MongoDB",
"money": 42
}'
Find all the companies in the database. Note that the decryption is done automatically:
curl http://localhost:8080/companies
Read the encrypted data in the companies
collection:
mongosh "mongodb://localhost/mydb" --quiet --eval "db.companies.find()"
Result in the companies
collection:
[
{
_id: ObjectId("653b1022110ea0067196894d"),
name: 'MongoDB',
money: Binary.createFromBase64("Au+QLuvvXE+gvw8N69fAbDYSjn2ep7Ye/Ap+N1YdBBuUOhLSpQtK9B7U38dx8xIcMz3sBvfOttqW8AOvRISxFa8a47T422hSnnwgCAjPNifnpA==", 6),
_class: 'com.mongodb.quickstart.javaspringbootcsfle.model.CompanyEntity'
}
]
Maxime Beugnet