We are introducing CSFLE in our applications. We are currently on version 4.0 and plan to move to version 4.2 (standalone/replica-set) for taking the advantage of CSFLE feature.
This question is on data migration. The data is currently not encrypted. How do we migrate the data - with CSFLE enabled - so that the data is migrated live and is encrypted based on the json encryption schemas provided?
Is there a tool available? How do we enable CSFLE on the destination mongodb instance and configure the json schemas?
Is there any live migration service available? Need urgent guidance on this.
@Carlos_Villanueva I have just looked into this and these steps seem to work for retroactively CSFLEing data that was not previously CSFLE’d, using explicit encryption:
Identify field(s) that are now CSFLE (you should have this from the schema)
Create a non-CSFLE MongoClient (so it doesn’t complain that you’re trying to query on CSFLE fields)
Run a query searching for your field(s) using a query like:
{myField: {$not: {$type: "binData"}}}
which should return the non-CSFLE fields that need CSFLEing
4. Update the field(s) using the clientEncryption approach in the linked page
5. The fields are now CSFLE’d
I think you’d have to use the Mongo Cloud console to shut down your secondary replica, delete the database data, and re-start it with encryption and replication settings set properly so that it syncs with the primary but with encryption.
I believe the link you supplied is for how to enable encryption at rest, but the original question was about client-side field level encryption (CSFLE)