-
Type: Spec Change
-
Resolution: Unresolved
-
Priority: Minor - P4
-
None
-
Component/s: Client Side Encryption
-
None
-
Needed
Summary
During automatic encryption and decryption, CSFLE may execute two internal commands:
- find to retrieve key documents from the Key Vault Collection
- listCollections to retrieve JSON schemas on collections not present in the client configured schemaMap.
It is not possible to use an explicit session on these operations with the current API.
Motivation
I see one plausible use case:
To guarantee a new data key created with ClientEncryption.createDataKey is visible in later automatic encryption operations, a causally consistent session could be used for read-your-own-writes semantics. Automatic encryption already uses read concern majority on the find operation.
Who is the affected end user?
Any user of CSFLE.
How does this affect the end user?
This was not requested by a user. Users cannot use explicit sessions in automatic encryption or automatic decryption.
How likely is it that this problem or use case will occur?
I am not sure. createDataKey already uses majority write concern, and find in automatic encryption uses majority read concern. I think a problem like the use-case described above is rare, if at all possible.
If the problem does occur, what are the consequences and how severe are they?
If the result of createDataKey is not immediately visible, it result in transient errors in automatic encryption / decryption operations unable to retrieve the key.
Is this issue urgent?
No.
Is this ticket required by a downstream team?
No.
Is this ticket only for tests?
No.
- is related to
-
GODRIVER-2147 Automatic FLE decryption does not work with session
- Closed
-
DRIVERS-2389 Add session support to the key management API
- Backlog