Mongoose not following CSFLE configs, docs being written unencrypted

[thompsonap09]

Prerequisites

• I have written a descriptive issue title

Mongoose version

9.1.5

Node.js version

24.x

MongoDB version

8.0.18

Operating system

None

Operating system version (i.e. 20.04, 11.3, 10)

No response

Issue

I have an AWS Lambda that's hitting a Mongo Atlas instance, and we're using AWS KMS to handle the encryption keys. I've got a DEK being created no problem. I've read the Mongoose docs over a ton of times and just have no idea where I'm going wrong actually writing a document to the DB with an encrypted field. The document writes to the DB in "plaintext", the field I have marked as encrypted in my schema is just a standard human readable string. Any assistance on this would be greatly appreciated, because I'm really at a loss.

import { Handler } from 'aws-lambda';
import { ClientEncryption, KMSProviders, MongoClient } from 'mongodb';
import mongoose, { Schema } from 'mongoose';
import path from 'path';

const keyVaultDatabase = 'encryption';
const keyVaultCollection = '__keyVault';
const keyVaultNamespace = `${keyVaultDatabase}.${keyVaultCollection}`;

export const handler: Handler = async () => {
  try {
    const dekUUID = await getOrCreateDEK();

    const encryptSchema = new Schema(
      {
        name: String,
        ssn: {
          type: String,
          encrypt: {
            keyId: dekUUID,
            queries: 'equality',
            algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
          }
        },
        sequence: Number,
        requestingAgentCode: [String]
      },
      { encryptionType: 'csfle' }
    );

    const connection = mongoose.createConnection();

    const db = connection.useDb(process.env.MONGO_DB_NAME!);

    const encryptModel = db.model('work_requests', encryptSchema);

    await db.openUri(getMongoURI(), getEncryptedConnectionOptions());

    await encryptModel.create({
      name: 'Alan',
      ssn: '12345',
      sequence: 1234567,
      requestingAgentCode: ['23413412']
    });

    return {
      statusCode: 201,
      body: {}
    };
  } catch (error) {
    return {
      statusCode: 500,
      body: JSON.stringify({
        message: 'Internal Server Error',
        error: (error as Error)?.message
      })
    };
  }
};

function getMongoURI(): string {
  return `${process.env.MONGODB_CONNECTION_STRING!}/?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true`;
}

function getKmsProviders(): KMSProviders {
  return {
    aws: {
      accessKeyId: process.env.AWS_ACCESS_KEY_ID!,
      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY!,
      sessionToken: process.env.AWS_SESSION_TOKEN!
    }
  };
}

function getEncryptedConnectionOptions() {
  return {
    serverSelectionTimeoutMS: 5000,
    autoEncryption: {
      keyVaultNamespace: keyVaultNamespace,
      kmsProviders: getKmsProviders()
    }
  };
}

function getConnectionOptions() {
  return {
    serverSelectionTimeoutMS: 5000
  };
}

async function getOrCreateDEK(): Promise<string> {
  const keyAltName = 'csfle-dek';

  const keyVaultClient = new MongoClient(getMongoURI(), getConnectionOptions());
  await keyVaultClient.connect();

  const keyVaultDB = keyVaultClient.db(keyVaultDatabase);
  const keyVaultColl = keyVaultDB.collection(keyVaultCollection);

  // Check if the dek already exists before trying to create anything
  const existingKey = await keyVaultColl.findOne({ keyAltNames: { $in: [keyAltName] } });
  if (existingKey) {
    keyVaultClient.close();
    return existingKey._id.toString('base64');
  }

  await keyVaultColl.createIndex(
    { keyAltNames: 1 },
    {
      unique: true,
      partialFilterExpression: { keyAltNames: { $exists: true } }
    }
  );

  const kmsProviders = getKmsProviders();

  const encryption = new ClientEncryption(keyVaultClient, {
    keyVaultNamespace,
    kmsProviders
  });

  const keyUUID = await encryption.createDataKey('aws', {
    masterKey: {
      region: process.env.AWS_KEY_REGION!,
      key: process.env.AWS_KEY_ARN!
    },
    keyAltNames: [keyAltName]
  });

  keyVaultClient.close();

  return keyUUID.toString('base64');
}

[vkarpov15]

How are you reading the encrypted documents? if you're using your default Mongoose connection with encryption enabled, Mongoose will decrypt for you automatically. This tripped me up too. That's why in the following script I created a separate plainClient MongoClient instance to read the raw data without decryption:

const mongoose = require('mongoose');
const { MongoClient } = require('mongodb');
const { ClientEncryption, BSON } = require('mongodb');

const uri = 'mongodb://127.0.0.1:27017';
const dbName = 'csfle_test';
const keyVaultNamespace = 'encryption.__keyVault';

// 🔐 Hardcoded 96-byte local master key
const localMasterKey = Buffer.from(
  '/1GQBXVb7huloT8LDqNtGYfrWqCp3HSFJhO7Y6b898JOVDkXojJwOgr8e9neY+UMFDOcxojNz61Lk8z3ttLEpOb/A0lkqJHK8j9RBh++OTfK5qK2YKkCV5gx128qXrs0',
  'base64'
);

async function run() {
  // 1️⃣ Create a client to generate DEK
  /*const keyClient = new MongoClient(uri);
  await keyClient.connect();

  const clientEncryption = new ClientEncryption(keyClient, {
    keyVaultNamespace,
    cryptSharedLibPath: process.env.SHARED_LIB_PATH,
    kmsProviders: {
      local: {
        key: localMasterKey
      }
    }
  });

  // Ensure key vault index exists
  await keyClient
    .db('encryption')
    .collection('__keyVault')
    .createIndex(
      { keyAltNames: 1 },
      { unique: true, partialFilterExpression: { keyAltNames: { $exists: true } } }
    );

  await keyClient
    .db('encryption')
    .collection('__keyVault')
    .deleteMany({});

  // Create DEK
  const keyId = await clientEncryption.createDataKey('local', {
    keyAltNames: ['test-key']
  });

  await keyClient.close();
  console.log('KEY ID', keyId);*/

  const keyId = new BSON.UUID('0058a9b7-793f-4552-845a-600ae73a3901');

  // 2️⃣ Define encryption schemaMap
  const schemaMap = {
    [`${dbName}.people`]: {
      bsonType: 'object',
      properties: {
        ssn: {
          encrypt: {
            keyId: [keyId],
            bsonType: 'string',
            algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
          }
        }
      }
    }
  };

  // 3️⃣ Connect Mongoose with autoEncryption
  const conn = mongoose.createConnection();

  const PersonSchema = new mongoose.Schema({
    name: String,
    ssn: String
  });

  const Person = conn.model('Person', PersonSchema, 'people');


  await conn.openUri(uri, {
    dbName,
    autoEncryption: {
      keyVaultNamespace,
      extraOptions: { cryptSharedLibPath: process.env.SHARED_LIB_PATH },
      kmsProviders: {
        local: {
          key: localMasterKey
        }
      },
      schemaMap
    }
  });
  await Person.deleteMany({});

  await Person.create({
    name: 'Alan',
    ssn: '123-45-6789'
  });

  console.log('Inserted document.\n');

  // 4️⃣ Check raw stored document
  const plainClient = new MongoClient(uri);
  await plainClient.connect();
  const raw = await plainClient.db(dbName).collection('people').findOne({});
  console.log('Raw stored document:');
  console.dir(raw, { depth: null }); // ssn is a Binary (encrypted)
  await conn.close();
}

run().catch(console.error);

[thompsonap09]

@vkarpov15 never even got the point where we were attempting to read encrypted docs since I never got the docs to even write encrypted. Ended up switching to the older method where I manually provided the encrypted fields map, never ended up getting Mongoose to handle it automatically like the docs say it should.

[RaschidJFR]

@vkarpov15 According to StackOverflow, it seems the step that's missing is adding schemaMap in getEncryptedConnectionOptions () but Mongoose's docs read:

Queryable encryption and CSFLE require all the same configuration as outlined in the MongoDB encryption in-use documentation, except for the schemaMap or encryptedFieldsMap options.

Should we update the docs?