Unable understand how to install libmongocrypt

Question

I am trying to setup a mongo connection in NODE.js with autoEncrypt option and it of course tries to connect with the driver at port 27020. I don't have libmongocrypt service running so the connection generates the following error.

ECONNREFUSED 127.0.0.1:27020

I am trying to implement manual encryption with bypassAutoEncryption flag.

I am aware we have to use this library but it appears to be a C library and I am still clueless how I can setup libmongocrypt on my local environment.

OS: Windows 10 MONGO VERSION: 5.0

Any help would be appreciated! Thank you

Some of those features are only available for enterprise mongodb and not the community version. — Margach Chris, Nov 29 '21 at 19:11
Updated my quesiton sorry. I am trying to implement manual encryption which should be available in non-enterprise servers as well. [Reference](https://docs.mongodb.com/manual/core/security-client-side-encryption/#supported-encryption-methods) — Danish Umair, Dec 01 '21 at 17:27

dododo · Accepted Answer · 2021-11-29T19:04:33.993

1

I'm not familiar with Node itself, but these are common details about this workflow (writing it as answer since it's quite big):

libmongocrypt is a C library that is used by the driver, usually it's embedded in the driver (unless Node doesn't support it for some reason).
ECONNREFUSED 127.0.0.1:27020 this error says that a process required for encryption called mongocryptd is not launched, it's not the same as libmongocrypt library (it's completely different things), you can launch this process by:
- Just manual launch. This file is placed in SERVER_PATH\bin\mongocryptd.exe. Use it only as quick check.
- Filling autoEncryption.extraOptions.mongocryptdSpawnPath with the path to mongocryptd.exe, you can find some details here

it's worth mention that auto encryption (along with mongocryptd) is available only in enterprise server.

edited Nov 29 '21 at 19:04

answered Nov 29 '21 at 18:09

dododo

3,872
1
14
37

Thanks @dododo for the answer, I was totally deluded about `libmongocrypt`, but on a smaller note, Manual Encryption `Mongo` is available for non-enterprise servers (^4.2) as well. (Updated my question as well) [Reference](https://docs.mongodb.com/manual/core/security-client-side-encryption/#supported-encryption-methods) – Danish Umair Dec 01 '21 at 17:23
mongocryptd doesn't participate in explicit encryption (explicit means that you call methods like Encrypt/Decrypt), then 27020 port can be just a node of your rs/sharded cluster that is unavailable for some reason – dododo Dec 01 '21 at 18:42
settings `bypassAutoEncryption` means that you still try to configure auto encryption but skip encryption part, you should provide how you create a mongoClient – dododo Dec 01 '21 at 18:45
I apologize as I was just trying to that in the [node.js helper repo](https://github.com/mongodb-university/csfle-guides/tree/master/nodejs). I totally understand that the provided information is insufficient and has accepted your answer thank you so much. – Danish Umair Dec 01 '21 at 22:23
1. `localhost:27020` is a url for mongocryptd by default. If you don't want (for some reason) to change it, you should not configure anything anywhere. If you need to configure, it should be set into extraOptions in encryption settings. 2. If you're working with atlas, you should not configure anything as well. All this work will be done by atlas itself behind the scene. 3. Looking at the provided link, I don't see where `bypassAutoEncryption=true` is set there. – dododo Dec 01 '21 at 23:19
4. Settings `bypassAutoEncryption=true` will mean that you can't make auto encryption, but if you already have encrypted data in the collection, you will be able to decrypt it automatically during reading (not sure that you will be able to make a query by encrypted data though) – dododo Dec 01 '21 at 23:19
Hmm https://www.mongodb.com/community/forums/t/is-client-side-field-level-encryption-supported-with-atlas/5712 It looks like I was wrong in #2, the atlas doesn't manage mongocryptd himself and if you need auto encryption, you should run it on your machine (I provided 2 ways in the initial answer, but it's enterprise feature as it was already mentioned) – dododo Dec 01 '21 at 23:36
Absolutely, so the bottom line is one needs Mongo Enterprise server for the encryption to work (regardless of manual or automatic). In the docs it was confusing when the mentioned "You need Mongo Enterprise OR Atlas 4.2", implying like these are two options. Thanks for the help! – Danish Umair Dec 02 '21 at 12:53
Explicit (manual) encryption (that provide Encrypt/Decrypt/CreateDataKey methods) should not require enterprise server (and mongocryptd.exe proces) as well as settings bypassAutoEncryption=true. As I pointed above, the code provided in `mongodb-university` link doesn't configure anything from the above. But if you modified it and it still requires mongocryptd on 27020 port, then you might want to create a jira ticket for mongo node driver project since it looks like a bug – dododo Dec 02 '21 at 15:07

score 0 · Answer 2 · answered Jan 29 '23 at 23:36

I also had the same problem. But my app runs in a Cloud Function (like AWS Lambda) and installing something is not possible.

Despite docs and forums said that Atlas support Auto Encrypt I couldn't make this work. So I tried Explicit Encryption that work's fine.

So you just need to specify bypassAutoEncryption attribute:

const secureClient = new MongoClient(connectionString, {
  useNewUrlParser: true,
  useUnifiedTopology: true,
  autoEncryption: {
    bypassAutoEncryption: true, // explicit encryption
    keyVaultNamespace,
    kmsProviders,
    // schemaMap: userSchema,
    // extraOptions,
  },
});

And encrypt data by yourself (what I find better - I have more control):

const randomEnc = {
  algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Random',
  // keyId: [new Binary(Buffer.from(dataKey, 'base64'), 4)], // I also couldn't make this work
  keyAltName: 'demo-data-key',
};

const writeResult = await secureClient
  .db(db)
  .collection(coll)
  .insertOne({
    name: 'Jon Doe',
    ssn: await encryption.encrypt(241014209, randomEnc),
    bloodType: await encryption.encrypt('AB+', randomEnc),
    'key-id': 'demo-data-key',
    medicalRecords: await encryption.encrypt([{ weight: 180, bloodPressure: '120/80' }], randomEnc),
    insurance: {
      policyNumber: await encryption.encrypt(123142, randomEnc),
      provider: 'MaestCare',
    },
  });

Decryption will be automatic, you don't need to do anything.

`Despite docs and forums said that Atlas support Auto Encrypt` - it supports, but you should launch mongocryptd local daemon or use `sharedLibrary` (preferable and easier way) that can be configured via `cryptSharedLibPath` — dododo, Jul 20 '23 at 07:58
Yes, but in some environments you can't do this. Like I said, my code is deployed to a function. At work, we also need this in a Docker and was tough to make that work too. — Gabriel Anderson, Jul 25 '23 at 13:32
I'm not too familiar with functions in this context but at the very least `sharedLibrary` approach should work since it doesn't require spawning of anything — dododo, Jul 25 '23 at 13:34

Unable understand how to install libmongocrypt

2 Answers2

Linked