Reputation: 11
My application is using a local masterkey to decrypt my datas in mongodb server.. I am planning to rotate my keyfile once a year like manually triggering a separate API to do it.
So using the below code im trying to create a new local masterkey file and re-encrypt the DEK in my keyVault collection. I tried in both java-8 and Node.js (Using Mongosh-2.3.1).. But both fails with the same error. Not sure if my below implementation is correct..
Refered their sample from here
Using mongodb-driver-sync-5.0.0 and mongodb-crypt-1.8.0
kmsProviders.put("local", newlyCreatedMasterKey);
ClientEncryptionSettings clientEncryptionSettings = ClientEncryptionSettings.builder()
.applyConnectionString(new ConnectionString(connectionString))
MongoCollection<Document> keyVault = mongoClient.getDatabase(keyVaultDb).getCollection(keyVaultColl);
for (Document dataKeyDoc : keyVault.find()) {
Binary id = dataKeyDoc.get("_id", Binary.class);
BsonBinary dataKeyId = new BsonBinary(id.getType(), id.getData());
Filters.eq("_id", dataKeyId),
new RewrapManyDataKeyOptions()
.masterKey(new BsonDocument("key", new BsonBinary(newlyCreatedMasterKey)))
Using Node.js (Mongosh-2.3.1)
// Creating a new key
const key = require("crypto").randomBytes(96);
fs.writeFileSync('keyfile.txt', key);
// Connection options
var autoEncryptionOpts = {
"keyVaultNamespace" : "encryption.__keyvault",
"kmsProviders" : {
"local" : {
"key" : BinData(0, key.toString("base64"))
// Created the encrypted client
const client = new Mongo(uri, autoEncryptionOpts);
const keyVault = client.getKeyVault();
const result = keyVault.rewrapManyDataKey({}, {
provider: 'local',
masterKey: {
keyMaterial: BinData(0, key.toString("base64"))
Both way returns the same error as below
Error rewrapping data keys: Unexpected field: 'key'
Exception in thread "main" com.mongodb.MongoClientException: Exception in encryption library: Unexpected field: 'key'
at com.mongodb.client.internal.Crypt.wrapInMongoException(
at com.mongodb.client.internal.Crypt.rewrapManyDataKey(
at com.mongodb.client.internal.ClientEncryptionImpl.rewrapManyDataKey(
at RotateMasterKey.reEncryptDataKeys(
at RotateMasterKey.main(
Caused by: com.mongodb.crypt.capi.MongoCryptException: Unexpected field: 'key'
at com.mongodb.crypt.capi.MongoCryptContextImpl.throwExceptionFromStatus(
at com.mongodb.crypt.capi.MongoCryptImpl.configure(
at com.mongodb.crypt.capi.MongoCryptImpl.createRewrapManyDatakeyContext(
at com.mongodb.client.internal.Crypt.rewrapManyDataKey(
... 3 more
Upvotes: 1
Views: 109