PHPLIB-986: Split keyAltName example and link key management docs

alcaeus · alcaeus · commit 5d379daf03b4 · 2022-10-18T14:33:19.000+02:00
diff --git a/docs/tutorial/client-side-encryption.txt b/docs/tutorial/client-side-encryption.txt
@@ -202,6 +202,15 @@ specified when creating the key. The following example creates an encryption key
 with an alternative name, which could be done when deploying the application.
 The software then encrypts data by referencing the key by its alternative name.
 
+Creating the encryption key
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To create the encryption key, create a client instance with encryption options
+and create a new data key. You can pass multiple alternate names for this key
+and later reference the key by these alternate names instead of the key ID.
+Creating a new data encryption key would typically be done on initial deployment,
+but depending on your use-case you may want to use more than one encryption key.
+
 .. code-block:: php
 
    <?php
@@ -222,10 +231,35 @@ The software then encrypts data by referencing the key by its alternative name.
    $client = new Client();
    $clientEncryption = $client->createClientEncryption($clientEncryptionOpts);
 
-   // Create an encryption key with an alternative name. This could be done when
-   // deploying the application
+   // Create an encryption key with an alternate name.
    $keyId = $clientEncryption->createDataKey('local', ['keyAltNames' => ['altname']]);
 
+Using an encryption key by alternate name
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To use an alternate name when referencing an encryption key, use the
+``keyAltName`` option instead of ``keyId``.
+
+.. code-block:: php
+
+   <?php
+
+   use MongoDB\BSON\Binary;
+   use MongoDB\Client;
+   use MongoDB\Driver\ClientEncryption;
+
+   $localKey = new Binary('<binary key data (96 bytes)>', Binary::TYPE_GENERIC);
+
+   $clientEncryptionOpts = [
+       'keyVaultNamespace' => 'encryption.__keyVault',
+       'kmsProviders' => [
+           'local' => ['key' => $localKey],
+       ],
+   ];
+
+   $client = new Client();
+   $clientEncryption = $client->createClientEncryption($clientEncryptionOpts);
+
    $collection = $client->selectCollection('test', 'coll');
    $collection->drop(); // clear old data
 
@@ -329,3 +363,5 @@ query on the ``encryptedIndexed`` field.
    $unencryptedCollection = $client->selectCollection('test', 'coll');
 
    var_dump($unencryptedCollection->findOne(['_id' => 1]));
+
+.. seealso:: :manual:`Encryption Key Management </csfle/fundamentals/manage-keys/>` in the MongoDB manual
