I am using MongoDB’s automatic client side field level encryption, But I observed that the fields are not getting encrypted in the collection.
- The MongoDB-crypt library that I am using is 1.6.1
- mongo driver core and sync version are 4.9.1
- The MongoCryptD version is 5.0.3
- The OS is linux (RHEL 7.9)
- MongoDB version 4.2.11 Enterprise edition.
- Java JDK- 17
The Class that represents my document that I want to perform field encryption on is annotated with @Encrypted annotation with the data key ID and the Encryption algorithm
and also the fields in that class I want to encrypt is simply annotated with @Encypted annotation.
So it looks something like this ->
@Data // lombok
@Document
@Encrypted (keyID="<the key id>", algorithm= "<The algorithm>")
public class MyDocument{
@Id
private UUID dataID;
@Encrypted
private String fieldToBeEncrypted;
private String otherField;
}
I am using MongoJsonSchemaCreator’s createSchemaFor() method with a filter method MongoJsonSchemaCreator.encryptedOnly() in order to generate a Json Schema after which I then create a SchemaMap from.
this schemaMap I am then populating while creating AutoEncryptionSettings.->
MongoClientSettings clientSettings = MongoClientSettings.builder()
.autoEncryptionSettings(AutoEncryptionSettings.builder()
.keyVaultNamespace(keyVaultNamespace)
.kmsProviders(kmsProviders)
.schemaMap(schemaMap)
.extraOptions(extraOptions)
.build())
...(other settings)
.build();
The master key that I am putting in the kmsProviders is a 96 bytes random character that I generate with OpenSSL random command.
Now the problem is that I am not seeing any data being encrypted and also I do not see any failure message in the console logs.
Now my question is ->
- Where does the actual encryption happens ? it is definitly not in the mongocryptd as the docs states so.
So what is actually handling the encryption ? - Is there any settings we have to enable in the mongo cluster in order to enable auto field encryption.
- The versions that I have stated at the top of my question are those inter compatible with each other and the linux OS as well ?
- Is there any checklist in general that I can use in order to troubleshoot this issue of encryption not happening ?
It seems that the mongocryptd process is not marking the fields to be encrypted for writes and thus no encryption is taking place but not sure
Edit 1:
Sharing the rough SchemaMap that I tried in my AutoEncryptionSettings but this to has failed ->
schemaMap.put(getDatabaseName() + ".MyDocument", BsonDocument.parse("{"
+ " bsonType: "object","
+ " encryptMetadata: {"
+ " keyId: [UUID("" + keyUuid + "")]"
+ " },"
+ " properties: {"
+ " fieldToBeEncrypted: {"
+ " encrypt: {"
+ " bsonType: "string","
+ " algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic""
+ " }"
+ " }"
+ " }"
+ "}"));
Here the "keyUuid" is the UUID of the datakey that was generated with ClientEncryption class’s createDataKey() method. I had commented the @Encrypted annotation on MyDocument class temporarily in order to pass this hard coded SchemaMap.
2
Answers
I am putting the code that generates the schemaMap below ->
this SchemaMap then I put inside my AutoEncryptionSettings ->
Writing it as answer since it’s quite big:
Where does the actual encryption happens ?
– inside java driver (in particular inside a libmongocrypt library), but mongocryptd is also required daemon for this workflow.Is there any settings we have to enable in the mongo cluster in order to enable auto field encryption.
– there are options to disable encrypting, but by default it should work as long as you specified correct schemaMap.are those inter compatible with each other
– it should, but even if no, such simple functionality were in csfle logic from the beginning.@Encrypted
attribute came from, I’m not java developer, but I didn’t find it in documentation. See articles how it should be configured here. Also, in order to troubleshot further, provide schemaMap value you add to the clientSettings.