Mongocryptd for client side encryption

Ops and Admin Enterprise Tools
#1

Hi,

We are using mongo db client side field level automatic encryption in enterprise mongodb 4.2 in Java environment. In developer environment this are working as expected. Developer started the mongocryptd process locally in his machine and end to end is working ok.

However, in integration environment administrator wants to run the mongocryptd process remotely (not in the application server machine) and wants application to use it from remote by specifying the remote url in mongocryptdURL extra options while creating the mongo encrypted client. administrator is suggesting to use “mongodb://remote-machine-address:27020” in :mongocryptdURL. And he wants to run the mongocryptd process remotely in remote-machine-address.

So, our question are.
(a) Is it possible to use such setup ? Can mongocryptd process run in a remote machine and the mongocryptd driver jar can access it remotely. Or it must run locally in same machine where the jvm is.

(b) If it can run remotely, then what steps we have to do ?

CSFLE: run mongocryptd process on application container
#2

Welcome to the MongoDB community @Srijeeb_Roy!

No. Only local interfaces (localhost or a local unix domain socket) are supported for mongocryptd as at MongoDB 4.4. There is no configuration for remote access.

One mongocryptd process can be shared by multiple applications, but they have to run in the same local server environment.

Note that mongocryptd is specific to the Automatic Client-Side Field Level Encryption feature using MongoDB Enterprise. The alternative approach of Explicit (Manual) Client-Side Field Level Encryption does not require any additional processes.

Regards,
Stennie

#3

Thanks for your reply! Yes, I understand that manual encryption will work and not dependent on mongocryptd process. But that will bring lot of manual code changes in the application as in each read, write, search we have to manually either call encrypt or decrypt. We need to tell the administrator this constraint and ask him to set up the mongocryptd in same machine.

#4

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.