CSFLE and Multi-tenancy, encryption key per tenant

I am starting to explore CSFLE and currently using community version 4.4
We are open to moving to enterprise version or Atlas.

Our application is an enterprise application. We have implemented multi-tenancy with one DB per tenant model. From our application (Python) we maintain a pool of DB connections (rather driver does) and we just switch the MongoDB db to use based on the tenant-ID. That means, we can just keep one connection pool and use it for any tenant.

With CSFLE, I am wondering the following:
How can we keep tenant specific encryption keys under tenant DB and still maintain connection pool and easily switch DBs?

The automatic encryption/decryption parameter (which hold info about key namespace, db+collection) needs to be passed to MongoClient consturctor, that is when MongoDB connection is created.

If we do keep tenant specific keys under tenant db, it seems, we have to create individual MongoDB connection per tenant. Which seems wrong to me.

Any suggestion? Am I missing anything?
Help will be greatly appreciated.

2 Likes

Yes, your understanding that you would need one connection for each tenant is correct. As the FLE keys are stored under the tenant database, you would have to initialize the connection with the data key id specific for each tenant. MongoDB should have had better support for such use cases.

In my case, I already have one connection for each tenant. But the connections are created by request for the tenant in the token.
My problem is that I’ll need do get each tenant key for each time I want to connect to the database.
But I realize that when you use a cloud KMS, you don’t have to put key data in the connection, the database itself will do this. (It’s right?)