Hi,
I’m currently implementing CSFLE in C# using the MongoDb driver.
We want to rotate our keys and invalidate all documents that don’t pass a specific internal policy (older than X years for example)
We still want the old document to be in the collection however.
In the documentation it states that if it fails to read the data using the provided Data Encryption key, the binary value for the field will be returned.
This is not what happens though - we get an error “Encryption related exception: not all keys requested were satisfied”.
We are generating our JSON schema for the encrypted fields during runtime using the currently active DEK for the specified collection. If a document has “expired” in our terms (has not been re-encrypted with the new DEK), we still want it to be persisted in the database, just dead and returning the binary data instead of the decrypted values.
Is this possible and is the documentation wrong, or am I misinterpreting something?
Our dream would be this:
Try to decrypt the data in the specified fields from the JSON schema with the provided Data Encryption Key - if it fails, set a default value like an empty string, 0, false etc for those values (or even better, a default value for each field or field type that we can set ourselves).
This should be a switch of course, to allow users to use it as it is today where it just throws an exception as soon as one field in the entire data set is encrypted with an old key.
The error that you are seeing is correct given your explanation. There are two different use cases for not being able to decrypt and they each return something different. If your application has access to the keys but the key is not present (ie it has been deleted) then the error you noted in your question is expected. If your application does not have access to the key then you would get the binary data back as the system would not even check to see if the key is present.
If you could point me to where in the docs it says that the encrypted value would be displayed that would be helpful so that I can look at it. It sounds like we may need to add some more details in the docs about the expected behavior in these 2 different cases.
Hello and thank you, and thank you for your response.
Okay, this is the documentation I read: https://www.mongodb.com/docs/manual/core/csfle/reference/decryption/#automatic-decryption-process
Maybe I misunderstood it but my interpretation of step #2 - “if the Key Vault collection does not contain the specified key, automatic decryption fails and the driver returns the encrypted BinData blob” - is that it tries to fetch the DEK and if it fails it falls back to just returning the encrypted data.
We just need to know what is supposed to happen so we can plan and implement it accordingly!
Also - should we be fine just rotating our Certificate for our CMK, or should we roll the CMK or DEK:s at some interval aswell? I had trouble finding any “best practice” information, a lot of it is up to interpretation and I am having a hard time deciding for myself if we should rotate our certificate or all of our DEK:s aswell
Thank you for pointing out that section, it is incorrect and I’ll get it fixed. In the case you describe, where a key has been deleted, the driver will return an error and not the encrypted blob.
As a best practice, when using envelope encryption, you should rotate the CMK. Once you have rotated the CMK you can use the rotate API (also referred to as rewrap) to apply the new CMK to your keyVault. This section in the docs gives an example of how to rotate to a new CMK (after you have created the new CMK in your KMS).
Okay! Would it be possible to have a switch when setting up the MongoClient that would return the encrypted blob instead of throwing an error, or a default value like “Redacted” for strings, “0” for integers or something that we can set, or is this a deeper issue?