Mar 19
2 / 2
Mar 25
Mar 25
Gary_Fredes
Mar 19

Handling Multiple KMS Providers in a .NET Application with MongoDB

We have an application in .NET that accesses our MongoDB database and saves documents in common collections. Each user will have their own KMS Provider and respective credentials.

Problem Statement

Our initial approach was to maintain a dictionary of connections to our database, each configured with the respective KMS provider. However, an issue arises when a user wants to change their KMS provider.

Issues Encountered:

  1. Rewrapping DEKs
    We attempted to use rewrapManyDataKey(), but this requires the MongoDB client to have both KMS providers pre-configured.

  2. Manual Rewrapping of DEKs
    Even when manually rewrapping the Data Encryption Keys (DEKs) in our code, documents inserted using the previous KMS Provider become inaccessible because:

    • The collection’s encryption schema is still tied to the previous KMS provider.
    • The new connection has problems recognizing the KeyVault collection.

Question

Is this a misunderstanding on our part, or is it a real limitation of MongoDB?
Is there a way to seamlessly change the KMS provider for an existing Queryable Encryption collection?

Joel_OdomMongoDB Employee
Mar 25

Hi and welcome to the forums. I’m the Product Manager for Queryable Encryption at MongoDB. Changing KMS providers in the way you envision is not something we support today. There may be ways to hack this, but this is a case where you may want to use the per-document keys feature of CSFLE, depending on your query needs. Let me send you a PM on the side to learn more about your use case as it is something I’ve envisioned supporting.


Want to read more? Browse other topics in Working with Data or view latest topics.