Data encryption key, should it be unique each time server is restarted ? and should we drop the database storing keyValut as shown in the below example?

reference link: docs-in-use-encryption-examples/make_data_key.js at main · mongodb-university/docs-in-use-encryption-examples · GitHub

trying to implement client side field level encryption , doubt in step while creating Data encryption key in which we are droping the data base
github line 43 and 46 , in this post marked as //here************

 const keyVaultDatabase = "encryption";
  const keyVaultCollection = "__keyVault";
  const keyVaultNamespace = `${keyVaultDatabase}.${keyVaultCollection}`;
  const keyVaultClient = new MongoClient(uri);
  await keyVaultClient.connect();
  const keyVaultDB = keyVaultClient.db(keyVaultDatabase);
  // Drop the Key Vault Collection in case you created this collection
  // in a previous run of this application.
  await keyVaultDB.dropDatabase();  // here*************
  // Drop the database storing your encrypted fields as all
  // the DEKs encrypting those fields were deleted in the preceding line.
  await keyVaultClient.db("medicalRecords").dropDatabase();  // here*********

is it necessary to generate new key each time and should we drop the encrypted database, and why are we deleting medical records here, is it necessary to these steps each time server restarts
can’t we use the same data encryption key again and again storing it in some place ?

Thank you

Hello Haswanth_reddy and welcome!

The createKey is a one time operations and you do not need to, nor should you, drop and recreate them. The encrypted data encryption keys will be stored in the keyVault and used for the encrypt/decrypt operations. Once you do the initial setup they keys are used from that point on.


1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.