Azure Key Rotation Broke my CSFLE

Hello everyone,

I am dealing with an issue where I rotated my Azure Key that I was using to generate a KMS token in my server layer. My Client Side Field Level Encryption is now throwing an error when my encryption client tries to call a collection with encrypted data. The error is below. I am not sure I implemented it incorrectly in the past which would be reason for concern. I was under the impression that if I were to rotate my key, then my previously encrypted data would still be able to be decrypted using the old KMS key store in the mongo KeyVault.

MongoDB.Driver.Encryption.MongoEncryptionException
HResult=0x80131500
Message=Encryption related exception: Error in KMS response: 'The parameter is incorrect.
'. HTTP status=400.
Source=MongoDB.Driver
StackTrace:
at MongoDB.Driver.Encryption.AutoEncryptionLibMongoCryptController.DecryptFields(Byte[] encryptedDocumentBytes, CancellationToken cancellationToken)
at MongoDB.Driver.Core.WireProtocol.CommandMessageFieldDecryptor.DecryptFields(CommandResponseMessage encryptedResponseMessage, CancellationToken cancellationToken)
at MongoDB.Driver.Core.WireProtocol.CommandUsingCommandMessageWireProtocol1.AutoDecryptFieldsIfNecessary(CommandResponseMessage encryptedResponseMessage, CancellationToken cancellationToken) at MongoDB.Driver.Core.WireProtocol.CommandUsingCommandMessageWireProtocol1.Execute(IConnection connection, CancellationToken cancellationToken)
at MongoDB.Driver.Core.WireProtocol.CommandWireProtocol1.Execute(IConnection connection, CancellationToken cancellationToken) at MongoDB.Driver.Core.Servers.Server.ServerChannel.ExecuteProtocol[TResult](IWireProtocol1 protocol, ICoreSession session, CancellationToken cancellationToken)
at MongoDB.Driver.Core.Servers.Server.ServerChannel.Command[TResult](ICoreSession session, ReadPreference readPreference, DatabaseNamespace databaseNamespace, BsonDocument command, IEnumerable1 commandPayloads, IElementNameValidator commandValidator, BsonDocument additionalOptions, Action1 postWriteAction, CommandResponseHandling responseHandling, IBsonSerializer1 resultSerializer, MessageEncoderSettings messageEncoderSettings, CancellationToken cancellationToken) at MongoDB.Driver.Core.Operations.CommandOperationBase1.ExecuteProtocol(IChannelHandle channel, ICoreSessionHandle session, ReadPreference readPreference, CancellationToken cancellationToken)
at MongoDB.Driver.Core.Operations.ReadCommandOperation1.ExecuteAttempt(RetryableReadContext context, Int32 attempt, Nullable1 transactionNumber, CancellationToken cancellationToken)
at MongoDB.Driver.Core.Operations.RetryableReadOperationExecutor.Execute[TResult](IRetryableReadOperation1 operation, RetryableReadContext context, CancellationToken cancellationToken) at MongoDB.Driver.Core.Operations.ReadCommandOperation1.Execute(RetryableReadContext context, CancellationToken cancellationToken)
at MongoDB.Driver.Core.Operations.FindOperation1.Execute(RetryableReadContext context, CancellationToken cancellationToken) at MongoDB.Driver.Core.Operations.FindOperation1.Execute(IReadBinding binding, CancellationToken cancellationToken)
at MongoDB.Driver.OperationExecutor.ExecuteReadOperation[TResult](IReadBinding binding, IReadOperation1 operation, CancellationToken cancellationToken) at MongoDB.Driver.MongoCollectionImpl1.ExecuteReadOperation[TResult](IClientSessionHandle session, IReadOperation1 operation, ReadPreference readPreference, CancellationToken cancellationToken) at MongoDB.Driver.MongoCollectionImpl1.ExecuteReadOperation[TResult](IClientSessionHandle session, IReadOperation1 operation, CancellationToken cancellationToken) at MongoDB.Driver.MongoCollectionImpl1.FindSync[TProjection](IClientSessionHandle session, FilterDefinition1 filter, FindOptions2 options, CancellationToken cancellationToken)
at MongoDB.Driver.MongoCollectionImpl1.<>c__DisplayClass46_01.b__0(IClientSessionHandle session)
at MongoDB.Driver.MongoCollectionImpl1.UsingImplicitSession[TResult](Func2 func, CancellationToken cancellationToken)
at MongoDB.Driver.MongoCollectionImpl1.FindSync[TProjection](FilterDefinition1 filter, FindOptions2 options, CancellationToken cancellationToken) at MongoDB.Driver.FindFluent2.ToCursor(CancellationToken cancellationToken)
at MongoDB.Driver.IAsyncCursorSourceExtensions.FirstOrDefault[TDocument](IAsyncCursorSource`1 source, CancellationToken cancellationToken)

Inner Exception 1:
CryptException: Error in KMS response: 'The parameter is incorrect.
'. HTTP status=400

A little more clarity on this. I have CSFLE working for all of my server environments before today. It was specifically the act of rotating the Key in Azure Key Vault that resulted in this error. I am currently just using the same KMS base64 key (not generating a new KMS ever) when creating the auto-encryption client in the server. When I test by generating a new KMS, the server still throws the error. I don’t know a lot about encryption, but I am wondering if my current keyvault record in MongoDb that is used to decrypt my database fields isn’t getting validated against the azure key vault because of something to do with the current version key.

Also my KMS is being generated from a 2048 RSA key

Sorry, a little confusing on how to use this platform when submitting updates. I figured out the solution!

My my mongoDB key vault KMS key stored in my database was missing the “keyVersion” parameter under the “masterKey” field. I added that parameter to be the correct Azure Key Vault version and it fixed everything.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.