Client-side Field-Level Encryption


I’m hoping someone could point me in the right direction here.

We are working with highly sensitive data and have subsequently starting working on implement CSFLE on sensitive data in sensitive collections. We have got CSFLE working using an Azure KMS and all is well.

However, it seems that when using an encryption enabled MongoClient, any unsupported operations are blocked on all collections regardless of whether they have encrypted fields or not. Is this the desired behaviour of the driver and if so, what is a suitable workaround?

We are using the v2.16 of the C# driver for reference.

The only way I can see us working around this is by registering 2 clients:

  1. For use with encrypted collections
  2. For use with unencrypted collections

Is this the recommended approach? My concern is the number of connections to the database will increase as from my understanding the connections are handled by the MongoClient and 2 clients would result in 2 collection pools.

In summary, my questions are:

  • Why are unsupported queries blocked on unencrypted collections? (we use Atlas Search for example)
  • How can we leverage Atlas search features while also using CSFLE features?


Hey, can you provide a command you run that fails with csfle?

Hi Demitry,

I ended up logging a support ticket. It seems that this is a known bug with the driver:

Please note to anyone is future that you cannot run your search pipelines with an encryption enabled Mongo Client.

Commands run via the Mongocryptd process which does not recognise $search stages in aggregations. You will also get errors with lookup aggregations as they are not supported.

The workaround is to register 2 mongo clients - one for dealing with encrypted collections and one for running aggregations. You will then need to specifically omit encrypted fields to avoid serialisation issues.

This is not ideal as you will use more DB connections because Mongo cannot pool across 2 different clients with different configurations.

1 Like