Skip to main content
Version: Next

Encrypt

Encrypt transform plugin

Description

The Encrypt transform plugin is used to encrypt or decrypt specified fields in records using a symmetric encryption algorithm.

Options

nametyperequireddefault valuedescription
fieldsArrayYes-List of fields to encrypt/decrypt
algorithmStringNoAES_GCMEncryption algorithm
keyStringYes-Base64-encoded encryption key
modeStringNoencryptencrypt or decrypt
max_field_lengthIntegerNo10485760Maximum string field length before processing

algorithm [string]

Encryption algorithm used by this transform.

Supported values:

  • AES_GCM: default, AES in GCM mode with authentication tag
  • AES_CBC: AES in CBC mode with PKCS5 padding

AES_GCM provides authenticated encryption and is recommended for better security.

If not specified, AES_GCM is used by default.

key [string]

The encryption key must be provided in Base64-encoded format. Make sure the key length matches the requirements of the selected algorithm. For both AES_GCM and AES_CBC, valid key lengths are 16, 24, or 32 bytes (corresponding to AES-128, AES-192, or AES-256).

Example

  • base64:AAAAAAAAAAAAAAAAAAAAAA==
  • AAAAAAAAAAAAAAAAAAAAAA==

mode [string]

The transform mode. Supported values are encrypt and decrypt. The comparison is case-insensitive, but new examples should use lowercase values to match the default.

max_field_length [int]

The maximum string length that can be encrypted or decrypted for each configured field. If a field value exceeds this limit, the transform fails fast instead of processing an unexpectedly large value.

common options [string]

Transform plugin common parameters, please refer to Transform Plugin for details

Example

transform {
FieldEncrypt {
fields = ["name"]
key = "base64:AAAAAAAAAAAAAAAAAAAAAA=="
algorithm = "AES_CBC"
mode = "encrypt"
}
}
transform {
FieldEncrypt {
fields = ["name"]
key = "base64:AAAAAAAAAAAAAAAAAAAAAA=="
algorithm = "AES_CBC"
mode = "decrypt"
}
}