2
UB_K
Sep 2024

Hi,

I have been trying to implement CSFLE for our application and getting various issues during the implementation. Most of the issues are solved, thanks to this community forum and other knowledge articles in Stack overflow, however, got stuck with this issue without any luck from any existing articles.

At the first, I tried with a POC project, which uses deb bullseye-slim distribution, there following code is working fine to download and install mongodb-enterprise-cryptd package which is working for both explicit encryption and automatic encryption:

RUN apt-get update && apt-get install -y sudo \
    nano \
    gnupg \
    wget \
    libc6-dev \
    curl

RUN curl -fsSL https://pgp.mongodb.com/server-6.0.asc | \
   sudo gpg -o /usr/share/keyrings/mongodb-server-6.0.gpg \
   --dearmor
RUN echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-6.0.gpg ] https://repo.mongodb.com/apt/debian bullseye/mongodb-enterprise/6.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-enterprise.list
RUN sudo apt-get update
RUN sudo apt-get install -y mongodb-enterprise-cryptd

However, my organization uses Alpine distribution, hence the above process didn’t work in Alpine. (Question: is it possible to use similar process in Alpine now?)

Thus, I used libmongocrypt library by building it from source, as mentioned here: GitHub - mongodb/libmongocrypt: Required C library for Client Side and Queryable Encryption in MongoDB

This has worked fine for explicit encryption, however, as soon as I have started using the automatic encryption with an encryption schema, I started seeing the following exception:

MongoDB.Driver.MongoClientException: Exception starting mongocryptd process. Is mongocryptd on the system path?

I understand that the way forward is to use mongocryptd or as per latest recommendation, the crypt_shared library for automatic encryption.

I couldn’t download and install either in my Alpine docker image.

I came across this feature request, to add mongocryptd for Alpine: https://jira.mongodb.org/browse/SERVER-49140, where the resolution indicates Won't Fix, so I am not sure if there is an alternate way to install that in Alpine, if yes, please point me toward that documentation.

Next, I tried downloading the cryptd_shared library and add to my docker image, used the extraOptions param to pass the path of the library, but still getting the same error:

MongoDB.Driver.MongoClientException: Exception starting mongocryptd process. Is mongocryptd on the system path?

I am adding the shared lib in my docker like this:

# Create folder for MongoShared Library
RUN mkdir -p /MyAppName/MongoShared
# Copy files
# Here the /src/resources folder contains the mongo_crypt_v1.so file
ADD /src/resources ./MyAppName/MongoShared

Then used the extraOptions like below:

 Dictionary<string, object> extraOptions = new Dictionary<string, object>
                        {
                            {
                                "cryptSharedLibPath", "/MyAppName/MongoShared"
                            }
                        };

autoEncryptionOptions = new AutoEncryptionOptions(
        keyVaultNamespace: mongoDbEncryptionOptions.KeyVaultNamespace,
        kmsProviders: mongoDbEncryptionOptions.KmsProviders(provider),
        schemaMap: schemaMap,
        extraOptions: extraOptions
    );

Any help in this matter would be greatly appreciated.

Thanks in advance!

Regards,

UB

2
11 days later
Mistah_Berran
Oct 2024

Seems like a lot of us are struggling with this, been following the JIRA for a few weeks but it looks grim.
Also, check the warning section here which prompts us not to build libmongocrypt from source, making it even more of a hassle - https://www.mongodb.com/docs/manual/core/queryable-encryption/reference/libmongocrypt/.

@Mongo, are there any plans of making encryption possible on .NET Alpine?
Or an Alpine compatible libmongocrypt for us to use, as we’re not supposed to build from source?

Joel_OdomMongoDB Employee
Oct 2024

Can you try specifying the full path and library filename for crypt_shared in cryptSharedLibPath and let me know if that loads it? In other words, include mongo_crypt_v1.so in that string instead of just the folder where it lives.

10 days later
Kevin_AlbertsonMongoDB Employee
Oct 2024

Thus, I used libmongocrypt library by building it from source

I expect libmongocrypt is bundled in the C# driver (NuGet Gallery | MongoDB.Driver.Encryption 3.0.0). I do not expect you need to download it separately.

I understand that the way forward is to use mongocryptd or as per latest recommendation, the crypt_shared library for automatic encryption.
I couldn’t download and install either in my Alpine docker image.

Unfortunately, crypt_shared/mongocryptd are not published for Alpine. Those components are built from the server, which does not have plans to support Alpine (SERVER-49140 + SERVER-36790).

crypt_shared/mongocryptd are needed for Automatic Encryption. Without crypt_shared/mongocryptd, Explicit Encryption is still possible.

5 months later
UB_K
15d

Hi,

Apologies for replying late. We are already using Explicit encryption but the goal was to use the automatic encryption, which we understood that is not possible due to the MongoDB limitations with Alpine Linux.

However, I am a bit confused with the following comment and by reading the official MongoDB documentation.

I expect libmongocrypt is bundled in the C# driver (NuGet Gallery | MongoDB.Driver.Encryption 3.0.0). I do not expect you need to download it separately.

This documentation says that if we are using Linux then we have install libmongocrypt separately.

image
image1343×517 32.3 KB

If I have a .NET API that runs on Alpine Linux, does referencing MongoDB.Driver.Encryption removes the need of building libmongocrypt from source and bundling it in the docker image?

We are still using MongoDB 2.20 dot net driver, with plans to upgrade to 3.x version soon, however it does not look like upgrading to version 3.x would help us from building libmongocrypt each time.

Thanks,

UB


Want to read more? Browse other topics in Drivers or view latest topics.