Mongo CSFLE Data encryption keys fetched once or in batches

Question

In MongoDB client side fields level encryption, When we encrypt records and have multiple data encryption keys(please don't confuse this with master key) in key vault, if we fetch multiple records in a single query, say X records which have 1 field encrypted using Y distinct data encryption keys, I would like to understand how the driver handles fetching of these data encryption keys. I could think of few ways listed below on how it could have been handled, but want to understand exact behaviour to finalise our approach.

It fetches X records and while decrypting each record, it makes a call to fetch the data encryption key used to encrypt that particular record. So, together, make X db calls to fetch keys.
Same as above but when it fetches a data encryption key, it stores it in memory to reuse if any other undrecrypted record used the same data encryption key. In this approach, it makes Y db calls to fetch keys.
It fetches X records and lists down all distinct key identifiers used. Makes a single DB call to fetch all these distinct data encryption keys. In this approach, it makes a single db call to fetch all keys.
Some other way.

If anyone has idea on how its implemented, please share.

TIA

Is this for automatic encryption? – D. SM May 07 '21 at 18:08 — D. SM, May 07 '21 at 18:08
Yes, in enterprise edition. – rand_guy May 08 '21 at 17:47 — rand_guy, May 08 '21 at 17:47

score 0 · Answer 1 · answered May 07 '21 at 19:07

0

The key management happens in the libmongocrypt library.

It appears to request each key individually, as it is needed, and cache it locally for later use.

This seems to align with you #2 scenario.

answered May 07 '21 at 19:07

Joe

25,000
3
22
44

Were you able to find some code where I can find this behaviour where its requesting each key individually? If so, can you please point to it? – rand_guy May 08 '21 at 17:56

score 0 · Accepted Answer · answered May 10 '21 at 14:39

I have tried it out myself by generating 3 data encryption keys(DEKs) and multiple records(R) encrypted using these and stored in DB. When I fetched all the records, it made a query to fetch all 3 DEKs using an $in query on the 3 DEK IDs. So, looks like its following scenario 3. This observation is for small set of data. May be if there are too many DEKs, it might try to make different batch calls for DEKs, not sure. But at least I was able to confirm that it will fetch DEKs in batches which helps in better performance.

Hope this information helps others.

Mongo CSFLE Data encryption keys fetched once or in batches

2 Answers2