How to user Sync Gateway with Field Encryption Format



We have implemented Couchbase 6 server and Sync Gateway 2.1 for replication with CouchBase Lite.

sync-gateway-config.json :
“log”: [""],
“CORS”: {
“MaxAge”: 1728000
“databases”: {
“db”: {
“server”: “http://localhost:8091”,
“bucket”: “pulse”,
“username”: “user”,
“password”: “paSSWord”,
“enable_shared_bucket_access”: true,
“import_docs”: true,
“num_index_replicas”: 0,
“allow_conflicts”: false,
“enable_star_channel” : false,
“users”: {
“GUEST”: { “disabled”: false, “admin_channels”: ["
"] },
“sync_user”: {“password”: “sync_user”}
“sync”: function (doc, oldDoc) { if (doc.InfoSyst.sysSyncChannel) { channel(doc.InfoSyst.sysSyncChannel); } }

We encrypt personal data (passwords, PII) with the encryption function provided by the Couchbase SDK (Field Encryption Format).

Documents containing encrypted data do not synchronize :
Import: Error importing doc “OAuthUser::58932000f7ad11e8a83fc9273b936746”: 400 user defined top level properties beginning with ‘_’ are not allowed in document body

How to synchronize encrypted data through Sync Gateway?

Thank you


I’m not familiar with the Field Encryption Format … what does the JSON it produces look like? It sounds like it creates properties starting with “_”, which Sync Gateway doesn’t allow.


Sync Gateway will not process documents that have a top level attribute that begins with an underscore ("_").

The reason for this is that Sync Gateway is backwards compatible with V1.0 of replication protocol which is based on CouchDB. The v1.0 of replication protocol prohibits the use of top level attributes that begin with an underscore.

So applications that create documents that are expected to be processed through the Sync Gateway must be aware of this when modeling their data. This is true whether the document is created through the CBS SDK or SGW API or CBL. Failure to do so will result in a Sync Error of the form “” error":“Bad Request”,“reason”:"user defined top level properties beginning with ’ ’ are not allowed in document body"}_"

Recommendation : Include the _ properties in a top level object. In your case, using a root level attribute with sub doc including all secured fields should be an option.


Indeed, the NodeJS encryption SDK uses the _crypto syntax which creates an error when synchronizing with SyncGateway.

Two solutions:

We chose the second solution to save some time on the development of our POC.

Thank you very much for your answer.