Navigation

KeyVault.deleteKey()

On this page

New in version 4.2.

KeyVault.deleteKey(UUID)

Deletes a data encryption key with the specified UUID from the key vault associated to the database connection.

deleteKey() has the following syntax:

keyVault = db.getMongo().getKeyVault()

keyVault.deleteKey(UUID("<UUID String>"))

The UUID is a BSON binary data object with subtype 4.

returns:A document indicating the number of deleted keys.

Behavior

Requires Configuring Client-Side Field Level Encryption on Database Connection

The mongo client-side field level encryption methods require a database connection with client-side field level encryption enabled. If the current database connection was not initiated with client-side field level encryption enabled, either:

  • Use the Mongo() constructor from the mongo shell to establish a connection with the required client-side field level encryption options. The Mongo() method supports both Amazon Web Services and Local Key Management Service (KMS) providers for Customer Master Key (CMK) management.

    or

  • Use the mongo shell command line options to establish a connection with the required options. The command line options only support the AWS KMS provider for CMK management.

Example

The following example is intended for rapid evaluation of client-side field level encryption. For more complete examples appropriate for development and production environments, see Remove a data encryption key.

Configuring client-side field level encryption for a locally managed key requires specifying a base64-encoded 96-byte string with no line breaks. The following operation generates a key that meets the stated requirements and loads it into the mongo shell:

TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")

mongo --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"

Create the client-side field level encryption object using the generated local key string:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0, TEST_LOCAL_KEY)
    }
  }
}

Use the Mongo() constructor to create a database connection with the client-side field level encryption options. Replace the mongodb://myMongo.example.net URI with the connection string URI of the target cluster.

encryptedClient = Mongo(
  "mongodb://myMongo.example.net:27017/?replSetName=myMongo",
  ClientSideFieldLevelEncryptionOptions
)

Retrieve the KeyVault object and use the KeyVault.deleteKey() method to delete the data encryption key with matching UUID:

keyVault = encryptedClient.getKeyVault()
keyVault.deleteKey(UUID("b4b41b33-5c97-412e-a02b-743498346079"))

If successful, deleteKey() returns output similar to the following:

{ "acknowledged" : true, "deletedCount" : 1 }