How to use mongocrypt_setopt_key_expiration settings using MongoDB.Driver for .NET

UB_K · 2025-03-05T19:59:25.163Z

Hi,

We are using Client-Side Field Level Encryption (CSFLE) with explicit encryption in a MongoDB Atlas environment, utilizing Azure Key Vault as the Key Management Service (KMS) provider. Our connection to MongoDB is authenticated via certificates.

We have observed delays during the decryption of the encrypted document in our applicaltion. We noticed that the libmongocrypt driver version 1.12.0 introduced a new flag, mongocrypt_setopt_key_expiration, which allows extending the DEK cache duration from the default 60 seconds.

image1560×874 53.5 KB

However, we are unable to implement this using the MongoDB.Driver for .NET (v2.30). The ExtraOptions property in the AutoEncryptionSettings class, which is used to configure client communication with MongoDB, only accepts the following flags:

cryptSharedLibPath
cryptSharedLibRequired
mongocryptdURI
mongocryptdBypassSpawn
mongocryptdSpawnPath
mongocryptdSpawnArgs

Could you please advise on how to use the mongocrypt_setopt_key_expiration flag within these settings, or suggest an alternative approach to extend the DEK cache duration?

Thank in advance!

Regards,

UB

Rishabh_Bisht · 2025-03-06T09:56:34.160Z

The libmongocrypt API needs to be exposed by the driver - in this case, the C# driver is currently implementing this API. You can watch CSHARP-5205 for updates.

papafe · 2025-03-06T11:11:45.196Z

As @Rishabh_Bisht said, this is currently being implemented and it is planned to be included in the next major release of the .NET driver, that should be 3.3.0.

UB_K · 2025-03-26T02:49:18.536Z

Rishabh_Bisht:

The libmongocrypt API needs to be exposed by the driver - in this case, the C# driver is currently implementing this API. You can watch CSHARP-5205 for updates.

Thanks for the update! It looks like the JIRA ticket CSHARP-5205 is now closed.

Does this mean that the MongoDB C# Driver has now been updated with this option?

I do see another referenced JIRA Ticket DRIVERS-2781 in Implementing status and couldn’t understand whether the issue is now resolved.

papafe · 2025-03-26T09:17:21.491Z

@UB_K

We close tickets when we’re done with the task related to the ticket, not when the code is available in a release. In this case the new option will be released in next version, 3.3.0.

Topic	Replies	Views	Activity
Understanding CSFLE strategies for “forgetting a user’s data” Drivers node-js field-encryption	3	758	May 2024
As of v2.23.0, Expressions accessing Dictionary.Keys are no longer supported via IndexKeysDefinitionBuilder Drivers dot-net	4	739	Jun 2024
Truncation error when trying to deserialize an array (automatically assuming the data points as Int64) Drivers dot-net	0	116	Sep 2024
BsonClassMapSerializer is now sealed in v3.0 Drivers dot-net	1	49	Oct 2024
How to deserialize a `BsonValue` to object with serializer? Drivers kotlin	0	28	Nov 2024

How to use mongocrypt_setopt_key_expiration settings using MongoDB.Driver for .NET

How to use mongocrypt_setopt_key_expiration settings using MongoDB.Driver for .NET

New & Unread Topics

Want to read more? Browse other topics in Drivers or view latest topics.