Shard key and CSFLE (encryption)

The documentation mentions the following on creating a shard key on encrypted fields:
“Specifying a shard key on encrypted fields or encrypting fields of an existing shard key may result in unexpected or incorrect sharding behavior.”

What is the unexpected or incorrect behaviour? Is it documented anywhere? Is it referring to uneven distribution or the queries going to the wrong shard? Does it apply to both random and deterministic algorithms?

Thank you

Hi @Sason_Braha1 ,

Since encryption messes with the values that are stored on the database side without the ability of the server to decrypt them we cannot say how sharding would behave as sharding strategies depends on values.

Therefore, it is technically possible to do but unadvisable so consider doing so at your own risk.


1 Like

Thank you @Pavel_Duchovny

Hi @Pavel_Duchovny , can you give an example of a scenario where because of encryption we can’t say how sharding would behave in client side field level encryption?

As we are discussing CSFLE, if both encryption and decryption happens on the client side, why does it change mongo behavior in regards to sharding? Isn’t encrypted and unencrypted values for mongos are in both cases, just values? Why does the database side need to decrypt them? It’s done on the client side.

Instead of inserting value x and querying by value x, we insert value f(x, key) (deterministic algorithm) and query by value f(x, key).

x might just be a string, and f(x, key) is binData, is that the difference maker?

Hi @tamir_guez2 ,

I don’t have a good answer for that simply because I don’t know all the internal processes that might be impacted.

But from my familiarity with MongoDB documentation we usually write those disclaimer simply because we don’t test those scenarios. Untested scenario means it could yield all kind of unexpected behavior or bugs. The last thing you want with sharding is unexpected behavior.

Therefore I would not go this route (personal opinion)


I see, fair enough thank you

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.