I'm trying to use MongoDB's Client-Side Filed Level Encryption feature with the community edition. I'm not interested in the auto-encryption feature. However, we need the auto-decryption feature which as per the docs is possible in the community edition as well.
We generally use mongoose in our application but I tried with native nodejs driver as well. Here's the code I'm using to create the connection. This works fine if I comment out the autoEncryption object. Doing so allows me to encrypt manually, but this way we will also have to decrypt manually, which kind of beats the purpose.
Some docs suggest adding bypassAutoEncryption: true with extraOptions object to the autoEncryption object. I've treid that as well as seen below.
const secureClient = new MongoClient('mongodb://someUri', {
useNewUrlParser: true,
useUnifiedTopology: true,
autoEncryption: {
keyVaultNamespace,
kmsProviders,
bypassAutoEncryption: true,
extraOptions: {
// mongocryptdBypassSpawn: true,
mongocryptdSpawnArgs: [ "--pidfilepath=bypass-spawning-mongocryptd.pid", "--port", "27021"],
mongocryptdURI: "mongodb://localhost:27021/db?serverSelectionTimeoutMS=1000"
},
}
});
My code is working till generating the master key, data-key and explicitly encrypting the data. Unfortunately, I haven't been able to set up the auto-decryption. To configure the client with CSFLE options the autoEncryption has to be passed in the options. But whenever I pass this option, I get the following exception
(node:53721) UnhandledPromiseRejectionWarning: MongoServerSelectionError: connect ECONNREFUSED 127.0.0.1:27021
at Timeout._onTimeout (/Users/NiccsJ/ORI/code/testmongoEncryption/node_modules/mongodb/lib/sdam/topology.js:325:38)
at listOnTimeout (internal/timers.js:554:17)
at processTimers (internal/timers.js:497:7)
(Use `node --trace-warnings ...` to show where the warning was created)
I've followed almost all suggestions from the below refs. Surprisingly, mondodb-nodejs documentation doesn't even mention bypassAutoEncryption. I just happen to stumble across mongodb-c(point 3 & 4 below) driver documentation where I first found ant reference of such an option
- https://github.com/mongodb/node-mongodb-native/blob/4ecaa37f72040ed8ace6eebc861b43ee9cb32a99/test/spec/client-side-encryption/tests/README.rst
- https://github.com/Automattic/mongoose/issues/8167
- http://mongocxx.org/mongocxx-v3/client-side-encryption/
- https://mongodb.github.io/mongo-csharp-driver/2.11/reference/driver/crud/client_side_encryption/#explicit-encryption-and-auto-decryption
I was able to configure mongoShell with auto-decryption, meaning that my initial setup is not at fault. Also, it leads me to believe that there has to be a way to do it .via code as well.
My stack:
- nodeJS: > 14.7
- mongoDB: 4.4
- OS: macOS for dev, prod will be on AmazonLinux2
- Drivers: mongoose, native-nodejs, mongodb-client-encryption
It's not clearly mentioned in the docs. But from what I've read, automatic decryption doesn't require the enterprise-only mongocryptd process.
As mentioned in the official mongoDB-c-driver
Although automatic encryption requires MongoDB 4.2 enterprise or a MongoDB 4.2 Atlas cluster, automatic decryption is supported for all users. To configure automatic decryption without automatic encryption, set bypass_auto_encryption=True in the options::auto_encryption class.
I believe the bypassAutoEncryption option was made for this very purpose.
Not exactly an answer, but this is the best resolution at the moment. I reported this as a bug on the official JIRA.
Turns out, this apparently is a bug with the node-mongo-native library. As per their comment, this should be fixed in the next release.