MongoCryptError: “not all keys requested were satisfied” exception. What this error mean?

Working with Data Drivers
1

Hi,
We’re trying to use Mongo’s client side field level encryption, But I am getting "MongoCryptError: not all keys requested were satisfied. Verify that key vault DB/collection name was correctly specified.” on hitting the Query .

I am Unable to understand.
What this error mean? What keys?

Please let me help to debug the issue and solution for same.

Thanks in Advance.

2

Did you figure out what causing this issue?

3

Hello Abhay,

Thank you for your question. This error usually refers to an issue while attempting to read a DEK (Data Encryption Key) that has been removed for the Key Vault. It could also be possible that the Key Vault cannot be reached by your client for some reason.

Key Vault is a collection that stores your created Data Keys. More information is available in our documentation here.

To troubleshoot this error, I would recommend the following steps:

  1. Make sure your KMS Provider is reachable from your client. For example, if using AWS, make sure your client machine and application have a valid AWS Secret Key and can reach the AWS KMS service.
  2. Make sure the privileges in your KMS Provider are enough for your client to access your CMK (Customer Managed Key).
  3. If your KMS Provider is working fine, the next step is to check the contents of your Key Vault. The default name we use in our examples is “encryption.__keyVault”, but this could be different in your environment.
  4. If you have access and can see all the data keys, you should be able to use Client Side File Level Encryption normally.

Some client connection examples can be found here. You can also use MongoDB Compass to test if everything is working by going to “Advanced Connection Options” and providing your KMS Provider details under “In-Use Encryption” tab.

I hope this helps.

Best regards,
Bruno Carvalho