Automatic CSFLE Node mongocryptd issue

Hi,
I’m trying to perform automatic client-side field level encryption using mongoDB Enterprise Server 4.2 (ultimately Mongo Atlas 4.2 Cluster) and Node mongo driver version 3.6.1.

I’ve already tested connections and installations by performing the same routine using both servers associated with a compatible mongo shell script.
When using the node driver, I see that the mongocryptd starts but the encryption doesn’t actually occur.

I have two different behaviours depending on how I use the schema. When I JSON.stringify it before inserting a document, the insertion results in success but no encryption is performed and the data is saved as plain text.

If I initialise the client with the JS object for the schema, I get the following error:
MongoError: Array elements must have type BinData, found object

I’ve even tried starting the mongocryptd process manually on port 27020 and only then run the script. I see that connections are made to mongocryptd but still no data is encrypted.

Any help would be appreciated.

Hi @Helton_Costa, welcome to the forums

Just based on the information that you’ve provided, it seems like there was a slight error in how the script encrypts. You may find the examples listed on Client Side Field Level Encryption Guide useful as a reference (You can toggle the code snippets to Node.JS).

If you are still encountering the issue, please provide an example code that could reproduce the error.

Regards,
Wan.

Hi @wan,

Not sure I understood what you meant, but I’ve already used that resource to get to where I am now.
Even if I try copying all the code there, just changing the kms and the server, I still get the same behaviour.

Assuming I have correct master key on KMS and data encryption key (since it worked for mongo shell), this is the code I’m using:

const kmsProviders = {
    aws: {
        accessKeyId: "<AWS_KEY_ID>",
        secretAccessKey: "<AWS_SECRET_ACCESS>"
    }
}

const mySchema = {
    'healthcheck.Users': {
        "bsonType": "object",
        "properties": {
            "name": {
                "encrypt": {
                    "bsonType": "string",
                    "keyId": [
                        {
                            "$binary": {
                                "base64": "<BASE64_KEY_ID>",
                                "subType": "04"
                            }
                        }
                    ],
                    "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
                }
            },
        }
    }
}

let client = new MongoClient(Url, {
    useUnifiedTopology: true,
    autoEncryption: {
        keyVaultNamespace,
        kmsProviders,
        schemaMap: mySchema,
        extraOptions: {
            mongocryptdSpawnArgs: ["--port", "30000"],
            logger: 4,
            mongocryptdURI: 'mongodb://localhost:30000',
            mongocryptdSpawnPath: '/usr/local/bin/mongocryptd',
        }
    }
})

const writeDocument = async () => {
    try {
        await client.connect()
        let coll = client.db('mydb').collection('mycollection')
        let res = await coll.insertOne({name: 'John Doe'})
    } catch (e) {
        console.log(e)
    } finally {
        await client.close()
    }
}

I also tried creating the schema with keyId: ["<base64_jey_id>"] and the same thing happens.
Let me know if there’s any information missing.

were you able to reproduce the issue @wan ?

Hi @Helton_Costa,

Could you try replacing the keyId part of the schema:

    "keyId": [
        {
            "$binary": {
                "base64": "<BASE64_KEY_ID>",
                "subType": "04"
             }
        }
    ],

With the following:

var Binary = require('mongodb').Binary;

let base64DataKeyId = "<BASE64_KEY_ID>";
let buff = Buffer.from(base64DataKeyId, 'base64');
let keyid = new Binary(buff, Binary.SUBTYPE_UUID); 

const mySchema = {
...
    "keyId": [keyid],
...
}

Regards,
Wan.

1 Like

Hi @wan, that solved it for me.
Thanks for the help.

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.