Encrypt
Encrypt transform plugin
Description
The Encrypt transform plugin is used to encrypt or decrypt specified fields in records using a symmetric encryption algorithm.
Options
| name | type | required | default value | description |
|---|---|---|---|---|
fields | Array | Yes | - | List of fields to encrypt/decrypt |
algorithm | String | No | AES_GCM | Encryption algorithm |
key | String | Yes | - | Base64-encoded encryption key |
mode | String | No | encrypt | encrypt or decrypt |
max_field_length | Integer | No | 10485760 | Maximum string field length before processing |
algorithm [string]
Encryption algorithm used by this transform.
Supported values:
AES_GCM: default, AES in GCM mode with authentication tagAES_CBC: AES in CBC mode with PKCS5 padding
AES_GCM provides authenticated encryption and is recommended for better security.
If not specified, AES_GCM is used by default.
key [string]
The encryption key must be provided in Base64-encoded format.
Make sure the key length matches the requirements of the selected algorithm.
For both AES_GCM and AES_CBC, valid key lengths are 16, 24, or 32 bytes (corresponding to AES-128, AES-192, or AES-256).
Example
base64:AAAAAAAAAAAAAAAAAAAAAA==AAAAAAAAAAAAAAAAAAAAAA==
mode [string]
The transform mode. Supported values are encrypt and decrypt. The comparison is case-insensitive, but new examples should use lowercase values to match the default.
max_field_length [int]
The maximum string length that can be encrypted or decrypted for each configured field. If a field value exceeds this limit, the transform fails fast instead of processing an unexpectedly large value.
common options [string]
Transform plugin common parameters, please refer to Transform Plugin for details
Example
transform {
FieldEncrypt {
fields = ["name"]
key = "base64:AAAAAAAAAAAAAAAAAAAAAA=="
algorithm = "AES_CBC"
mode = "encrypt"
}
}
transform {
FieldEncrypt {
fields = ["name"]
key = "base64:AAAAAAAAAAAAAAAAAAAAAA=="
algorithm = "AES_CBC"
mode = "decrypt"
}
}