Automatic csfle using shared crypt not working

Tom_Kremer · February 23, 2023, 8:15pm

Hi,

so I was able to write encrypted fields with gcp kms to my serverless instance. I did this without shared lib on macos (m1) but with starting mongocryptd from enterprise bins.

So now from what I’ve read, the same thing should be possible without mongocryptd using the shared lib? So in extraOptions.cryptSharedLibPath I’ve passed the downloaded mac shared lib (https://www.mongodb.com/docs/manual/core/queryable-encryption/reference/shared-library/#download-the-automatic-encryption-shared-library), I’ve also tried libmongocrypt (GitHub - mongodb/libmongocrypt: Required C library for Client Side and Queryable Encryption in MongoDB) using homebrew but I always get the error that the connection is refused on port 27020.
I’m using nodejs 16 with mongodb 4.9.0 client.

Thanks
Tom

Tom_Kremer · February 24, 2023, 10:28am

Update: Updated client config, now shared library cannot be loaded.

So I had a wrong setting within extraOptions. Here is my current config:

const extraOptions = {
  mongocryptdBypassSpawn: true,
  cryptSharedLibPath: "full path to mongo_crypt_v1.dylib",
  cryptSharedLibRequired: true,
};

const secureClient = new MongoClient(connectionString, {
  useNewUrlParser: true,
  useUnifiedTopology: true,
  monitorCommands: true,
  autoEncryption: {
    keyVaultNamespace,
    kmsProviders,
    encryptedFieldsMap: patientSchema,
    extraOptions: extraOptions,
  },
});

Now I get always the following error:

MongoError: `cryptSharedLibRequired` set but no crypt_shared library loaded

Cynthia_Braund · February 24, 2023, 4:59pm

Hello Tom and welcome,

You are correct that the Shared Library can be used in place of mongocryptd. Libmongocrypt is a driver component that does the cryptographic operations and isn’t related to mongocryptd or the Shared Library. There are langauge specific examples here of how to specify the location of the shared library - https://www.mongodb.com/docs/manual/core/queryable-encryption/quick-start/#specify-the-location-of-the-automatic-encryption-shared-library. Please note that this documentation is for Queryable Encryption but the code snippet there should apply to CSFLE as well. Since you aren’t using mongocryptd you shouldn’t need the mongocryptdBypassSpawn.

Cynthia

Tom_Kremer · February 24, 2023, 5:41pm

Thanks for the reply. I removed mongocryptdBypassSpawn.

I followed that guide but on macos m1 with nodejs 16, I don’t get it to work. Could it be macos security not allowing to load the dylib? I had a similar issue with mongocryptd when I launched manually for the first time.

One error I found in the docs here https://www.mongodb.com/docs/manual/core/queryable-encryption/reference/shared-library/#std-label-qe-reference-shared-library is that cryptSharedRequired should be cryptSharedLibRequired as described in the specs: https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst#extraoptions-cryptsharedlibrequired

Cynthia_Braund · March 1, 2023, 10:07pm

Thank you for finding that error. I will get it fixed! Were you able to get it working?

Tom_Kremer · March 2, 2023, 9:14am

Hi,

yes I got it fixed. I had my path variable name incorrect
Then I got it to work but since I need this within a nodejs debian 10 docker, I moved away from automatic to explicit encryption since the shared lib is not available there (yet?).

Best,
Tom