Restoration for encrypted data is not happening

Hi Team,

I am encountering errors while trying to restore encrypted data. Is there a specific reason for this issue, and could you provide guidance on how to successfully restore it? plz help

2023-08-29T22:38:40.805+0530 Failed: medicalRecord.patients: error restoring from dump/medicalRecord/patients.bson.gz: bulk write exception: write errors: [Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, +965 more errors…]

Mongo version: 7.0

we got while testing queryable encryption.

Hello Ram, Can you give me more detail on what you are trying to do? For example, it looks like you had a collection with encrypted fields but then somehow lost the collection and now you are trying to rebuild that collection from a copy that you have stored somewhere. What method are you using? That error you are seeing is a server-side error that is preventing encrypted data from being written via a method that is not Queryable Encryption compatible. The list of Queryable Encryption compatible drivers is here.

Cynthia

Hi Cynthia_Braund,

I have enabled queryable encryption on the cluster following the doc https://www.mongodb.com/docs/manual/core/queryable-encryption/reference/shared-library/#std-label-qe-reference-shared-library. I have created queryable encryption for medicalRecord. patients collection for two fields. I have took the full dump and tried to restore it in anther cluster while doing restore I am getting this error.

Sample doc:

Enterprise red [direct: secondary] medicalRecord> db.patients.findOne()
{
_id: ObjectId(“64ecb389756b6a79f89983c1”),
patientName: Binary(Buffer.from(“10bcd609889f8845e686820b9013d7962f021c64a50635131f55fc7f49d7de11a05fd0fb3743150dd8c7552c98832fd5c7c4320b4f22b70024f4fe10616f782c00d7a22d08812698551954bd9c71ebe5125f”, “hex”), 6),
patientId: Binary(Buffer.from(“0e534ec25ecd744507aa0e9e7e204c5f1002a1cd16ef5f8b873caa2ab4acc7e67077442bb2a5b171c5d71790793350a71f3a8ff5dbc48538d18785465798e2340baa1e3c5c479a319835f101a97a1137e599c8d0b712f61c2f07a522d1a9755a632d76a7961dfe0d60681bf579f66fa0ccc46373bfbafb8a776c3da207af6119af2268a1ba43e01fa30bd49e544ce42e4bc5d0327f7383afb3d00c55e98dcb36a50e71a951f16e2f2b11df06d1ec788fbc38d8470b63f2d46615f82e777b51459b068232abe3dff51ad4248684765a1bb08a”, “hex”), 6),
patientRecord: ‘yes’,
safeContent: [
Binary(Buffer.from(“d0327f7383afb3d00c55e98dcb36a50e71a951f16e2f2b11df06d1ec788fbc38”, “hex”), 0)
]
}

Mongo dump command:
mongodump --host 127.0.0.1 --port 27040 --gzip --out ./dump

Restore command
mongorestore --port 27043 --gzip --dir=dump --gzip

Restoration error:

2023-08-30T04:38:07.591+0530 using --dir flag instead of arguments

2023-08-30T04:38:07.591+0530 using write concern: &{majority false 0}

2023-08-30T04:38:07.607+0530 checking options

2023-08-30T04:38:07.607+0530 dumping with object check disabled

2023-08-30T04:38:07.607+0530 will listen for SIGTERM, SIGINT, and SIGKILL

2023-08-30T04:38:07.608+0530 connected to node type: replset

2023-08-30T04:38:07.608+0530 mongorestore target is a directory, not a file

2023-08-30T04:38:07.608+0530 preparing collections to restore from

2023-08-30T04:38:07.608+0530 using dump as dump root directory

2023-08-30T04:38:07.608+0530 reading collections for database admin in admin

2023-08-30T04:38:07.608+0530 found collection admin.system.version bson to restore to admin.system.version

2023-08-30T04:38:07.608+0530 found collection metadata from admin.system.version to restore to admin.system.version

2023-08-30T04:38:07.608+0530 adding intent for admin.system.version

2023-08-30T04:38:07.608+0530 reading collections for database encryption in encryption

2023-08-30T04:38:07.608+0530 found collection encryption.__keyVault bson to restore to encryption.__keyVault

2023-08-30T04:38:07.608+0530 found collection metadata from encryption.__keyVault to restore to encryption.__keyVault

2023-08-30T04:38:07.608+0530 adding intent for encryption.__keyVault

2023-08-30T04:38:07.608+0530 reading collections for database medicalRecord in medicalRecord

2023-08-30T04:38:07.608+0530 found collection medicalRecord.enxcol_.patients.ecoc bson to restore to medicalRecord.enxcol_.patients.ecoc

2023-08-30T04:38:07.608+0530 found collection metadata from medicalRecord.enxcol_.patients.ecoc to restore to medicalRecord.enxcol_.patients.ecoc

2023-08-30T04:38:07.608+0530 adding intent for medicalRecord.enxcol_.patients.ecoc

2023-08-30T04:38:07.608+0530 found collection medicalRecord.enxcol_.patients.esc bson to restore to medicalRecord.enxcol_.patients.esc

2023-08-30T04:38:07.608+0530 found collection metadata from medicalRecord.enxcol_.patients.esc to restore to medicalRecord.enxcol_.patients.esc

2023-08-30T04:38:07.608+0530 adding intent for medicalRecord.enxcol_.patients.esc

2023-08-30T04:38:07.608+0530 found collection medicalRecord.patients bson to restore to medicalRecord.patients

2023-08-30T04:38:07.608+0530 found collection metadata from medicalRecord.patients to restore to medicalRecord.patients

2023-08-30T04:38:07.608+0530 adding intent for medicalRecord.patients

2023-08-30T04:38:07.608+0530 reading collections for database test in test

2023-08-30T04:38:07.609+0530 found collection test.sample bson to restore to test.sample

2023-08-30T04:38:07.609+0530 found collection metadata from test.sample to restore to test.sample

2023-08-30T04:38:07.609+0530 adding intent for test.sample

2023-08-30T04:38:07.609+0530 reading metadata for encryption.__keyVault from dump/encryption/__keyVault.metadata.json.gz

2023-08-30T04:38:07.610+0530 reading metadata for medicalRecord.enxcol_.patients.ecoc from dump/medicalRecord/enxcol_.patients.ecoc.metadata.json.gz

2023-08-30T04:38:07.610+0530 reading metadata for medicalRecord.enxcol_.patients.esc from dump/medicalRecord/enxcol_.patients.esc.metadata.json.gz

2023-08-30T04:38:07.610+0530 reading metadata for medicalRecord.patients from dump/medicalRecord/patients.metadata.json.gz

2023-08-30T04:38:07.610+0530 reading metadata for test.sample from dump/test/sample.metadata.json.gz

2023-08-30T04:38:07.610+0530 finalizing intent manager with longest task first prioritizer

2023-08-30T04:38:07.610+0530 restoring up to 4 collections in parallel

2023-08-30T04:38:07.611+0530 starting restore routine with id=3

2023-08-30T04:38:07.611+0530 starting restore routine with id=1

2023-08-30T04:38:07.611+0530 starting restore routine with id=0

2023-08-30T04:38:07.611+0530 starting restore routine with id=2

2023-08-30T04:38:07.616+0530 restoring to existing collection medicalRecord.patients without dropping

2023-08-30T04:38:07.616+0530 collection medicalRecord.patients already exists - skipping collection create

2023-08-30T04:38:07.616+0530 restoring to existing collection medicalRecord.enxcol_.patients.ecoc without dropping

2023-08-30T04:38:07.616+0530 collection medicalRecord.enxcol_.patients.ecoc already exists - skipping collection create

2023-08-30T04:38:07.616+0530 restoring to existing collection medicalRecord.enxcol_.patients.esc without dropping

2023-08-30T04:38:07.616+0530 collection medicalRecord.enxcol_.patients.esc already exists - skipping collection create

2023-08-30T04:38:07.616+0530 restoring medicalRecord.patients from dump/medicalRecord/patients.bson.gz

2023-08-30T04:38:07.617+0530 restoring to existing collection test.sample without dropping

2023-08-30T04:38:07.617+0530 collection test.sample already exists - skipping collection create

2023-08-30T04:38:07.617+0530 restoring medicalRecord.enxcol_.patients.esc from dump/medicalRecord/enxcol_.patients.esc.bson.gz

2023-08-30T04:38:07.617+0530 restoring medicalRecord.enxcol_.patients.ecoc from dump/medicalRecord/enxcol_.patients.ecoc.bson.gz

2023-08-30T04:38:07.617+0530 using 1 insertion workers

2023-08-30T04:38:07.617+0530 restoring test.sample from dump/test/sample.bson.gz

2023-08-30T04:38:07.617+0530 using 1 insertion workers

2023-08-30T04:38:07.618+0530 using 1 insertion workers

2023-08-30T04:38:07.618+0530 using 1 insertion workers

2023-08-30T04:38:07.682+0530 finished restoring medicalRecord.patients (0 documents, 1000 failures)

2023-08-30T04:38:07.682+0530 Failed: medicalRecord.patients: error restoring from dump/medicalRecord/patients.bson.gz: bulk write exception: write errors: [Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, Cannot insert a document with field name safeContent, +965 more errors…]

2023-08-30T04:38:07.682+0530 0 document(s) restored successfully. 1000 document(s) failed to restore.

Hi Cynthia_Braund,

Plz help

Hi Ram,

mongoDump/Restore and mongoImport/Export are not currently Queryable Encryption compatible. If you need to move data from one cluster to another you can use Compass or mongosh (shell) in encrypting mode to export and then import the data. We are investigating Queryable Encryption support for mongoDump/Restore and mongo Import/Export.

Thanks,

Cynthia

Here are instructions on setting up Compass so that it is in encrypting mode - https://www.mongodb.com/docs/compass/current/connect/advanced-connection-options/in-use-encryption/

Hi Cynthia_Braund,

Thanks for the info.