Can we decode encrypted values from QueryResult output

Hi! I have a document and it’s fields are encrypted. The following GO code just works fine. I guess GET uses the document key.

resp, err := 
cb.Scope(testScope).Collection(testCollection).Get(s.ID, &gocb.GetOptions{Context: ctx})
	if err != nil {
		return fmt.Errorf("%s collection Get failure: %v", testCollection, err)

	return resp.Content(s)

I have requirement to query the same document using one of it’s non encrypted field (let’s say by Name). I had set up a secondary index for this field and here is the code

	params := make(map[string]interface{}, 1)
	params["name"] = s.Name
	resp, err := cb.Scope(testScope).Query(testQuery, &gocb.QueryOptions{
		Context:         ctx,
		NamedParameters: params,
	if err != nil {
		return fmt.Errorf("query failure: %v", err)

I can’t seem to find any ways to decode the QueryResult output. resp.Row() just ignores all encrypted fields. Any workarounds? Thanks!

	for resp.Next() {
		if err := resp.Row(s).....

In both cases, is the cb.Scope(testScope) the same?
What is the value of testQuery ?

yes, `SELECT x.* FROM testcollection x WHERE$name

It seems like the transcoder doing the unmarshalling does not have the crypto manager. You’re cluster connection specifies your crypto manager, right? (I suppose it would need to if the results from Get are being decrypted).

transcoder := gocbfieldcrypt.NewTranscoder(nil, mgr)

It looks like Row() just uses json.Unmarshal(bytes, valuePtr) which doesn’t know about encryption.
I opened a ticket - Loading...

1 Like

Until I can think of a better work-around - you can retrieve the document id (meta().id) with the query, then use the document id in the Get() operations.

Edit 1: I think you can use

    transcoder.Decode(resp.Raw().nextBytes,  0, &s);

Edit 2 : I checked with the powers-that-be and FLE is only for KV. Query does not use the transcoder.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.