@@ -24,10 +24,12 @@ Installation
2424============
2525
2626In addition to the :doc: `installation </intro/install >` and :doc: `configuration
27- </intro/configure>` steps for Django MongoDB Backend, Queryable
28- Encryption requires encryption support and a Key Management Service (KMS).
27+ </intro/configure>` steps already required to use Django MongoDB Backend,
28+ Queryable Encryption requires the installation of additional dependencies.
29+ You can install these dependencies by using the ``encryption `` extra when
30+ installing ``django-mongodb-backend ``:
2931
30- You can install encryption support with the following command::
32+ .. code-block :: console
3133
3234 pip install django-mongodb-backend[encryption]
3335
@@ -36,16 +38,22 @@ You can install encryption support with the following command::
3638Configuring the ``DATABASES `` setting
3739=====================================
3840
39- In addition to :ref: `configuring-databases-setting `, you must also configure an
40- encrypted database in your :setting: `django:DATABASES ` setting.
41+ In addition to the :ref: `database settings <configuring-databases-setting >`
42+ already required to use Django MongoDB Backend, you must configure an
43+ encrypted database to store encrypted data.
4144
42- This database will be used to store encrypted fields in your models. The
43- following example shows how to configure an encrypted database using the
44- :class: `AutoEncryptionOpts <pymongo.encryption_options.AutoEncryptionOpts> ` from the
45- :mod: `encryption_options <pymongo.encryption_options> ` module.
45+ .. admonition :: Encrypted database
4646
47- This example uses a local KMS provider and a key vault namespace for storing
48- encryption keys.
47+ An encrypted database is a separate database connection in your
48+ :setting: `django:DATABASES ` setting that is configured to use
49+ :class: `automatic encryption
50+ <pymongo.encryption_options.AutoEncryptionOpts> `.
51+
52+ The following example shows how to
53+ configure an encrypted database using the :class: `AutoEncryptionOpts
54+ <pymongo.encryption_options.AutoEncryptionOpts> ` from the
55+ :mod: `encryption_options <pymongo.encryption_options> ` module with a local KMS
56+ provider and encryption keys stored in the ``encryption.__keyVault `` collection.
4957
5058.. code-block :: python
5159
@@ -70,7 +78,7 @@ encryption keys.
7078 " encrypted"
7179 " ENGINE" " django_mongodb_backend"
7280 " HOST" " mongodb+srv://cluster0.example.mongodb.net"
73- " NAME" " encrypted "
81+ " NAME" " my_database_encrypted "
7482 " USER" " my_user"
7583 " PASSWORD" " my_password"
7684 " PORT" 27017 ,
@@ -83,48 +91,57 @@ encryption keys.
8391 },
8492 }
8593
94+ admonition :: Local KMS provider key
95+
96+ In the example above, a random key is generated for the local KMS provider
97+ using ``os.urandom(96) ``. In a production environment, you should securely
98+ store and manage your encryption keys.
99+
86100.. _qe-configuring-database-routers-setting :
87101
88102Configuring the ``DATABASE_ROUTERS `` setting
89103============================================
90104
91- Similar to :ref: `configuring-database-routers-setting ` for using :doc: `embedded
92- models </topics/embedded-models>`, to use Queryable Encryption you must also
93- configure the :setting: `django:DATABASE_ROUTERS ` setting to route queries to the
94- encrypted database.
105+ Similar to configuring a :ref: `database router
106+ <configuring-database-routers-setting>` for
107+ :doc: `embedded models </topics/embedded-models >`, Queryable Encryption
108+ requires a :setting: `database router <django:DATABASE_ROUTERS> ` to route
109+ queries to the encrypted database.
95110
96- This is done by adding a custom router that routes queries to the encrypted
97- database based on the model's metadata. The following example shows how to
98- configure a custom router for Queryable Encryption:
111+ The following example shows how to
112+ configure a custom router for the "myapp" application that routes queries to the
113+ encrypted database.
99114
100115.. code-block :: python
101116
117+ # myapp/routers.py
102118 class EncryptedRouter :
103- """
104- A router for routing queries to the encrypted database for Queryable
105- Encryption.
106- """
107-
108- def db_for_read (self model , ** hints ):
109- if model._meta.app_label == " myapp"
110- return " encrypted"
111- return None
112-
113- db_for_write = db_for_read
114-
115119 def allow_migrate (self db , app_label , model_name = None , ** hints ):
116120 if app_label == " myapp"
117121 return db == " encrypted"
118- # Don't create other app's models in the encrypted database.
122+ # Prevent migrations on the encrypted database for other apps
119123 if db == " encrypted"
120124 return False
121125 return None
122126
127+ def db_for_read (self model , ** hints ):
128+ if model._meta.app_label == " myapp"
129+ return " encrypted"
130+ return None
131+
123132 def kms_provider (self model , ** hints ):
124133 return " local"
125134
135+ db_for_write = db_for_read
136+
137+
138+
139+ :setting: `django:DATABASE_ROUTERS ` setting:
140+
141+ .. code-block :: python
126142
127- DATABASE_ROUTERS = [EncryptedRouter]
143+ # settings.py
144+ DATABASE_ROUTERS = [" myapp.routers.EncryptedRouter"
128145
129146qe-configuring-kms :
130147
@@ -138,8 +155,8 @@ options followed by an example of how to use them.
138155
139156+-------------------------------------------------------------------------+--------------------------------------------------------+
140157| :setting: `KMS_CREDENTIALS <DATABASE-KMS-CREDENTIALS> ` | A dictionary of Key Management Service (KMS) |
141- | | credentials configured in the |
142- | | :setting: `django:DATABASES ` setting. |
158+ | | credentials configured in an inner option of the |
159+ | | encrypted :setting: `django:DATABASES ` setting. |
143160+-------------------------------------------------------------------------+--------------------------------------------------------+
144161| :class: `kms_providers <pymongo.encryption_options.AutoEncryptionOpts> ` | A dictionary of KMS provider credentials used to |
145162| | access the KMS with |
0 commit comments