Transforms
Encrypt
Encrypt field values using a symmetric or asymmetric algorithm.
Overview
The Encrypt transformation replaces the value at a given key with its encrypted form, leaving the rest of the record unchanged. It supports two algorithms:
- AES-GCM (
aes) — symmetric encryption using a shared secret key. Anyone with the key can both encrypt and decrypt. - age (
age) — asymmetric encryption using a recipient's public key. Only the holder of the matching age private key can decrypt.
The key material is supplied as a secret, not inline in the configuration.
Configuration
| Argument | Type | Required | Default | Description |
|---|---|---|---|---|
| key | string | Yes | — | Path to the field whose value will be encrypted |
| algorithm | object | Yes | — | Encryption algorithm configuration |
| algorithm.type | string | Yes | aes | Algorithm to use: aes or age |
| algorithm.aes.encryption_key | secret | Yes (for aes) | — | Base64-encoded AES key (16, 24, or 32 bytes) |
| algorithm.age.encryption_key | secret | Yes (for age) | — | age public key (starts with age1...) |
Example
Encrypt the user.ssn field using AES-GCM:
Code
Given the input record:
Code
The output record replaces the value in place with its ciphertext:
Code
To use asymmetric encryption instead, set the algorithm to age and provide an age public key:
Code
Notes
- The value is replaced in place; no new field is created.
encryption_keyis provided as a secret rather than inline in the configuration.- For
aes, the key must be base64-encoded and decode to 16, 24, or 32 bytes (AES-128/192/256). - For
age, only the public key is used; keep the corresponding private key safe to decrypt later. - The ciphertext shown above is illustrative — actual output is non-deterministic.
Last modified on