cse build tag stands for “client-side encryption”. We require this build tag because this feature requires linking against an external C library. The build tag allows users who don’t need this feature to compile and use the driver without worrying about installing libmongocrypt. If you’re curious, this is done by keep two separate copies of the source code, each conditionally compiled based on the build tag. One copy has actual logic to interact with libmongocrypt and implement the feature and the other contains function stubs that panic if called. You can see this by running the script without specifying the build tag.
As for the collections created, I believe both examples create two collections:
encryption.testKeyVault: This is the key vault collection and is used to store the data key created by
ClientEncryption.CreateDataKey. These data keys are used to encrypt/decrypt fields. Note that the key material for these keys is also encrypted using the master key. In the examples I linked above, this is
localMasterKey. The key vault is necessary collection for client-side encryption.
test.coll: This is the collection where the application stores its data. In the example, this data looks like
For your question about GridFS, can you provide more details? Do you want to delete the entire GridFS file (i.e. delete all of the chunks for the file and any other information related to it) after a TTL?
If you have any follow-up questions about client-side encryption, it may be helpful to create a new topic with the #go-driver tag for the GridFS question.