Data Migration with CSFLE enabled

We are introducing CSFLE in our applications. We are currently on version 4.0 and plan to move to version 4.2 (standalone/replica-set) for taking the advantage of CSFLE feature.
This question is on data migration. The data is currently not encrypted. How do we migrate the data - with CSFLE enabled - so that the data is migrated live and is encrypted based on the json encryption schemas provided?
Is there a tool available? How do we enable CSFLE on the destination mongodb instance and configure the json schemas?
Is there any live migration service available? Need urgent guidance on this.

Thanks,
Anu

2 Likes

We are having the same issue. Could you find a solution @Anu_Madan ?

@Carlos_Villanueva I have just looked into this and these steps seem to work for retroactively CSFLEing data that was not previously CSFLE’d, using explicit encryption:

  1. Identify field(s) that are now CSFLE (you should have this from the schema)
  2. Create a non-CSFLE MongoClient (so it doesn’t complain that you’re trying to query on CSFLE fields)
  3. Run a query searching for your field(s) using a query like:
{myField: {$not: {$type: "binData"}}}

which should return the non-CSFLE fields that need CSFLEing
4. Update the field(s) using the clientEncryption approach in the linked page
5. The fields are now CSFLE’d

2 Likes

I know this is a long time ago, but this resource is helpful: https://www.mongodb.com/docs/manual/tutorial/configure-encryption/#std-label-encrypt-existing-data

I think you’d have to use the Mongo Cloud console to shut down your secondary replica, delete the database data, and re-start it with encryption and replication settings set properly so that it syncs with the primary but with encryption.

I believe the link you supplied is for how to enable encryption at rest, but the original question was about client-side field level encryption (CSFLE)

2 Likes