"`csfle` is a small utility for testing the state machine with real data.\n"
"\n"
"To build `csfle`, ensure libmongoc is installed (in addition to libbson) and set the option -DENABLE_ONLINE_TESTS=ON when configuring with `cmake`.\n"
"\n"
"Options can also be provided through a config flag.\n"
"\n"
"```\n"
"Global options\n"
"    --options_file <string>\n"
"        Alternative way to pass all options.\n"
"    --kms_providers_file <string>\n"
"        Defaults to ~/.csfle/kms_providers.json\n"
"    --mongocryptd_uri <string>\n"
"        Defaults to 'mongodb://localhost:27020'.\n"
"    --mongodb_uri <string>\n"
"        Defaults to 'mongodb://localhost:27017'.\n"
"    --mongodb_keyvault_uri <string>\n"
"        Defaults to 'mongodb://localhost:27017'.\n"
"    --keyvault_namespace <string>\n"
"        Defaults to 'keyvault.datakeys'.\n"
"    --schema_map_file <string> (optional)\n"
"        Defaults to using remote schemas.\n"
"    --trace <bool>\n"
"        Defaults to false.\n"
"    --tls_ca_file <string>\n"
"        Set a custom CA to verify server certificates in TLS connections. If not set, uses system defaults. Useful for KMIP.\n"
"    --tls_certificate_key_file <string>\n"
"        The client certificate and private key. If not set, a client certificate is not sent in TLS connections. Useful for KMIP.\n"
"\n"
"csfle create_datakey\n"
"    --kms_provider <string>\n"
"    --key_alt_names <comma separated strings>\n"
"\n"
"    AWS options.\n"
"    --aws_kek_region <string>\n"
"    --aws_kek_key <string>\n"
"    --aws_kek_endpoint <string>\n"
"\n"
"    Azure options.\n"
"    --azure_kek_keyvaultendpoint <string>\n"
"    --azure_kek_keyname <string>\n"
"    --azure_kek_keyversion <string> (optional)\n"
"\n"
"    GCP options.\n"
"    --gcp_kek_endpoint <string>\n"
"    --gcp_kek_projectid <string>\n"
"    --gcp_kek_location <string>\n"
"    --gcp_kek_keyring <string>\n"
"    --gcp_kek_keyname <string>\n"
"    --gcp_kek_keyversion <string> (optional)\n"
"\n"
"    KMIP options.\n"
"    --kmip_kek_endpoint <string>\n"
"    --kmip_kek_keyid <string>\n"
"\n"
"csfle auto_encrypt\n"
"    --command <JSON string> or --command_file <string>\n"
"    --db <string>\n"
"\n"
"csfle auto_decrypt\n"
"    --document <JSON string> or --document_file <string>\n"
"\n"
"csfle explicit_encrypt\n"
"    --value <JSON string> Document must have form { 'v': ... }\n"
"    --key_id <base64 string>\n"
"    --key_alt_name <string>\n"
"    --algorithm <string>\n"
"\n"
"csfle explicit_decrypt\n"
"    --value <JSON string> Document must have form { 'v': ... }\n"
"```\n"
"\n"
"\n"
"The KMS providers file must be extended canonical JSON of the following form.\n"
"\n"
"```\n"
"{\n"
"    'aws': {\n"
"        'accessKeyId': <string>,\n"
"        'secretAccessKey': <string>\n"
"    }\n"
"\n"
"    'local': {\n"
"        'key': <binary of 96 bytes>\n"
"    }\n"
"}\n"
"```\n"
"\n"
"No KMS providers are required.\n"
"\n"
"\n"
"## Examples\n"
"\n"
"```\n"
"csfle create_datakey --kms_provider aws --aws_kek_region us-east-1 --aws_kek_key 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0'\n"
"\n"
"csfle auto_encrypt --command '{'insert': 'coll', 'documents': [{'ssn': '123'}]}' --db 'db' --schema_map_file ./.csfle/schema_map.json\n"
"\n"
"csfle auto_decrypt --document '{ 'insert' : 'coll', 'documents' : [ { 'ssn' : { '$binary' : { 'base64': 'ARG+PK8ud0RZlDIzKwQmFoMCOuSIPyrfYleSqMZRXgaPCQOAurv0LTLNL6Tn/G7TuVOyf/Qv3j6VxSxCQEeu/yO7vv/UDE5niDE0itjOqjmf5Q==', 'subType' : '06' } } } ] }'\n"
"\n"
"csfle explicit_encrypt --key_id 'Eb48ry53RFmUMjMrBCYWgw==' --value '{'v': 'test'}' --algorithm 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'\n"
"``\n"