MongoDB Client-Side Field Level Encryption with ASP.NET core C# in docker

Hi All,

I have been trying to setup a demo project, with the hope of using CSFLE feature in a production application running in MongoDB Atlas 6.0 version, using .NET 6 C# language.

I have seen the installation documentation and various other topics which are available through Google search and MongoDb community forums, however, I am currently stuck with an error which suggests that the mongocryptd is not found in path.
I am using aspnet:6.0 base image and the demo code found at Microsoft site : Create a web API with ASP.NET Core and MongoDB | Microsoft Learn
For the testing I have created a docker container from mongodb/mongodb-enterprise-server:latest image.
Reading and writing data from my POC is working well, without the CSFLE feature.

When I tried to add the feature using the code present here: Client-Side Encryption, I found the first problem with libdl library, which I solved by adding following commands in my docker file:

RUN apt-get update
RUN apt-get install libc6-dev -y

Now, that error is gone, but I have the error saying

MongoDB.Driver.Encryption.MongoEncryptionException: Encryption related exception: Exception starting mongocryptd process. Is mongocryptd on the system path?.
       ---> MongoDB.Driver.MongoClientException: Exception starting mongocryptd process. Is mongocryptd on the system path?
       ---> System.ComponentModel.Win32Exception (2): An error occurred trying to start process 'mongocryptd' with working directory '/app'. No such file or directory

I understand the issue is with the mongodb-enterprise-cryptd is not installed within my web api container and I need to install it somehow. Checked the example from this page: field-level-encryption-docker/Dockerfile at main · sindbach/field-level-encryption-docker · GitHub, which gave a sample for nodejs, but I am not able to do the same thing in this Microsoft base image. As you can understand I am new to CSFLE, any help will be greatly appreciated. Following is the docker file that came with the demo:

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
RUN apt-get update
RUN apt-get install libc6-dev -y

WORKDIR /app
EXPOSE 80
EXPOSE 443

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ["UbkDockerMongoAzSQL.csproj", "."]
RUN dotnet restore "./UbkDockerMongoAzSQL.csproj"
COPY . .
WORKDIR "/src/."
RUN dotnet build "UbkDockerMongoAzSQL.csproj" -c Release -o /app/build

FROM build AS publish
RUN dotnet publish "UbkDockerMongoAzSQL.csproj" -c Release -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "UbkDockerMongoAzSQL.dll"]

Hi, @UB_K,

Welcome to the MongoDB Community Forums. I understand that you’re having trouble getting FLE configured with mongocryptd in a Docker container. I would suggest that you try using the libmongocrypt shared library instead. The shared library has all the same features as mongocryptd, but is much more Docker-friendly. You can find out more in Automatic Encryption Shared Library for Queryable Encryption and Install libmongocrypt.

Sincerely,
James

Thank you @James_Kovacs for your quick response. I have seen the new shared library but as per the installation document, it’s still in public preview, whereas we need to deploy the CSLFE solution in production as soon as the POC succeeds.

I feel my the issue is with docker not trusting mongodb repo certificate.

1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #6 [base 3/7] RUN curl -k -fsSL https://pgp.mongodb.com/server-6.0.asc |    sudo gpg -o /usr/share/keyrings/mongodb-server-6.0.gpg    --dearmor
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #6 sha256:66bf736adf962edc07bee3ef1e7bdf08f31ebe43385b6e603fd9c6e9a8066df6
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #6 DONE 1.4s
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: 
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #7 [base 4/7] RUN echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-6.0.gpg ] https://repo.mongodb.com/apt/debian bullseye/mongodb-enterprise/6.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-enterprise.list
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #7 sha256:3df55a3077719f2335a31cd2405ef634a198012e1bea65ca4d09d59f80f774de
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #7 0.488 deb [ signed-by=/usr/share/keyrings/mongodb-server-6.0.gpg ] https://repo.mongodb.com/apt/debian bullseye/mongodb-enterprise/6.0 main
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #7 DONE 0.5s
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: 
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #8 [base 5/7] RUN sudo apt-get update
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #8 sha256:af7698bc3db5636411ee7ab24086559536b79bb69ac00d4474fcbf679a030931
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #8 0.609 Hit:1 http://deb.debian.org/debian bullseye InRelease
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #8 0.625 Hit:2 http://deb.debian.org/debian-security bullseye-security InRelease
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #8 0.650 Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #8 1.077 Err:4 https://repo.mongodb.com/apt/debian bullseye/mongodb-enterprise/6.0 InRelease
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #8 1.077   Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 54.X.X.X 443]
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #8 1.079 Reading package lists...
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #8 1.451 W: Failed to fetch https://repo.mongodb.com/apt/debian/dists/bullseye/mongodb-enterprise/6.0/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 54.X.X.X 443]
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #8 1.451 W: Some index files failed to download. They have been ignored, or old ones used instead.
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #8 DONE 1.5s
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: 
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #9 [base 6/7] RUN sudo apt-get install -y mongodb-enterprise-cryptd
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #9 sha256:6adb10ab657da49ae3f4e6d54ccd1ef20583bf4a41733ffd27f7d5d8f27b27e0
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #9 0.493 Reading package lists...
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #9 0.862 Building dependency tree...
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #9 0.980 Reading state information...
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #9 1.069 E: Unable to locate package mongodb-enterprise-cryptd
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: #9 ERROR: executor failed running [/bin/sh -c sudo apt-get install -y mongodb-enterprise-cryptd]: exit code: 100
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: ------
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014:  > [base 6/7] RUN sudo apt-get install -y mongodb-enterprise-cryptd:
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: ------
1>C:\source\repos\UbkDockerMongoAzSQL\Dockerfile : error CTC1014: executor failed running [/bin/sh -c sudo apt-get install -y mongodb-enterprise-cryptd]: exit code: 100
1>Done building project "UbkDockerMongoAzSQL.csproj" -- FAILED.

This same issue is occurring when I try to get the libmongocrypt library using the knowledges pages you referred, I get the same problem.

# sudo sh -c 'curl -s --location https://www.mongodb.org/static/pgp/libmongocrypt.asc | gpg --dearmor >/etc/apt/trusted.gpg.d/libmongocrypt.gpg'
gpg: no valid OpenPGP data found.
# echo "deb https://libmongocrypt.s3.amazonaws.com/apt/debian buster/libmongocrypt/1.7 main" | sudo tee /etc/apt/sources.list.d/libmongocrypt.list
deb https://libmongocrypt.s3.amazonaws.com/apt/debian buster/libmongocrypt/1.7 main
# sudo apt-get update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Err:2 https://repo.mongodb.com/apt/debian bullseye/mongodb-enterprise/6.0 InRelease
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 54.X.X.X 443]
Hit:3 http://deb.debian.org/debian-security bullseye-security InRelease
Err:4 https://libmongocrypt.s3.amazonaws.com/apt/debian buster/libmongocrypt/1.7 InRelease
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 3.X.X.X 443]
Hit:5 http://deb.debian.org/debian bullseye-updates InRelease
Reading package lists... Done
W: Failed to fetch https://libmongocrypt.s3.amazonaws.com/apt/debian/dists/buster/libmongocrypt/1.7/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 3.X.X.X 443]
W: Failed to fetch https://repo.mongodb.com/apt/debian/dists/bullseye/mongodb-enterprise/6.0/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 54.X.X.X 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.
# sudo apt-get install -y libmongocrypt
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package libmongocrypt
#

You are correct. Your Dockerfile must add MongoDB’s public key to its listed of trusted sources. Here is a Java example by @wan:

The critical lines are:

RUN wget -qO - https://www.mongodb.org/static/pgp/server-6.0.asc | sudo apt-key add - 
RUN echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-enterprise.list
RUN apt-get update && apt-get install -y mongodb-enterprise mongodb-enterprise-cryptd

Hopefully this helps get you up and running.

Sincerely,
James