Mongo ClientSideFieldLevel Encrytion


 We are using mongodb-crypt library for field level encryption on Azure.

We are able to encrypt & decrypt data properly.

However we faced issue with our Cloud provider due to which KeyVault was unavailable for certain period of time. During this time our encryution/decryption process errored as the internal C library “libmongocrypt” tries to fetch the masterkey every 1 minute.

Right now this is not configurable, please suggest options to avoid this situation by either increasing the time interval to query the KMS or reuse the existing masterKey if the KeyVault fails.

Found following documentation from “libmongocrypt”
libmongocrypt: Data key caching

Data keys are cached in libmongocrypt for one minute. This is not
configurable, and there is no maximum number of keys in the cache. The
data key material is stored securely. It will not be paged to disk and
the memory will be properly zero’ed out after freeing.


Hi @Chaitanya_Chettipalli

Thanks for sharing your experience. DRIVERS-2781 proposes to make the cache window configurable. Your request helps in taking an informed decision. We will consider this ticket for a future quarter.
Kindly watch the jira ticket for future updates.

1 Like

Hi @Rishabh_Bisht , thanks for the quick response.

Can u provide the timeline for this configuration change in the Driver.
From the Jira shared, it looks like its planned for FY25Q2, Q3.
We wanted to check if an earlier time frame is possible.

With the KeyVault issue we faced last time, it was a 100% outage for us and we do
not want to end up in that kind of situation again.

Please suggest if there are any other alternatives possible for this problem.

Thank you.

Yes, the ticket I shared is tentatively planned for Q2/Q3 this year. We also have another retryability work planned for current quarter which may address some of the issues experienced with transient errors with KMS - MONGOCRYPT-599.

1 Like