Client-Side Field Level Encryption | Dedupe failing on encrypted field

Prateek_Mittal · May 6, 2022, 7:24am

Hi Everyone,

I implemented mongo field level encryption in spring boot in one of my project. My data encryption keys were kind of rotating with each deployment. Now lately i noticed that for the same field value (say m) for which i was manually checking whether that is present in my db or not, I see multiple entries got created.

To my understanding, i feel that this is due to the rotating key strategy that i used here and using single data-encryption key might solve the issue.

But is there any better approach to this. I want to use rotating key for security purpose.

Reference Material: https://www.mongodb.com/docs/manual/core/security-client-side-encryption/

Any help is much appreciated. Thanks

Cynthia_Braund · July 8, 2022, 11:14pm

Hello Prateek and thank you for posting!

When you say that you were kind of rotating your data encryption keys, does that mean that you were specifying different keyIds to be used for the same field via explicit encryption at different time periods? And were you using deterministic or random encryption? From what I gather you were using deterministic encryption with different keys and lwere wanting the same cleartext value to always result in the same ciphertext. If that is what you were doing then you are correct that changing keys is the problem. A cleartext value will only result in the same ciphertext when the same key is used for encryption. If that is not what you are doing please provide some more detail and I’ll be happy to review.

Cynthia