MongoDBERRORSecurityHIGH confidence

A required encryption key was not found

Q: How to fix MongoDB 211 A required encryption key was not found?

Ensure Key Vault and KMS are Accessible: Verify that the application has network connectivity and the correct credentials to access both the MongoDB key vault collection and the configured KMS provider. Check KMS permissions (e.g., IAM roles in AWS).

Q: How to fix MongoDB 211 A required encryption key was not found?

Restore the Missing Key: If the key was deleted from the key vault but still exists in the KMS, it may be possible to recreate it. If the key is permanently lost from the KMS, the data encrypted with it is unrecoverable. Restore the key vault from a backup if available.

Production Risk

HIGH

What this means

This error occurs in a Client-Side Field Level Encryption (CSFLE) setup when the driver cannot find the necessary Data Encryption Key (DEK) to encrypt or decrypt a field. The key may be missing from the key vault collection or the KMS provider may be inaccessible.

Why it happens

1The key vault collection does not contain a key with the UUID specified in the document's encryption metadata
2The KMS (Key Management System) provider (e.g., AWS KMS, Azure Key Vault) is unavailable or the client lacks permission to access it
3The local key file used for the KMS provider is missing, corrupted, or has incorrect permissions
4A mismatch between the `keyId` stored with the encrypted data and the keys available in the key vault

How to reproduce

An application using CSFLE tries to insert an encrypted field, but the DEK it needs to use has been deleted from the key vault.

trigger — this will error

// This is a conceptual example, as it requires a full CSFLE setup.
// 1. A Data Encryption Key (DEK) is created and stored in the key vault.
// 2. The DEK is then deleted from the key vault collection.
// 3. An application tries to insert a document with a field that needs to be encrypted with the deleted DEK.
await encryptedCollection.insertOne({ ssn: "123-456-7890" });

expected output

MongoServerError: KeyNotFound: Could not find key with id ...

Fix 1

Ensure Key Vault and KMS are Accessible

WHEN This error occurs during any encrypted operation.

Why this works

Verify that the application has network connectivity and the correct credentials to access both the MongoDB key vault collection and the configured KMS provider. Check KMS permissions (e.g., IAM roles in AWS).

Fix 2

Restore the Missing Key

WHEN A specific key has been accidentally deleted.

Why this works

If the key was deleted from the key vault but still exists in the KMS, it may be possible to recreate it. If the key is permanently lost from the KMS, the data encrypted with it is unrecoverable. Restore the key vault from a backup if available.

What not to do

✕ Delete keys from the key vault or KMS without a proper data archival or decryption strategy

Deleting a key will result in permanent, unrecoverable data loss for any data that was encrypted with it. Keys must be managed with extreme care.

Sources

Official documentation ↗

mongodb/mongo src/mongo/base/error_codes.yml

Client-Side Field Level Encryption ↗

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformMongoDB Error Codes

Code211

ClassSecurity

SeverityERROR

ConfidenceHIGH

← All MongoDB errors