# Encrypt Encrypt field values using a symmetric or asymmetric algorithm. ## Overview The Encrypt transformation replaces the value at a given key with its encrypted form, leaving the rest of the record unchanged. It supports two algorithms: - **AES-GCM** (`aes`) — symmetric encryption using a shared secret key. Anyone with the key can both encrypt and decrypt. - **age** (`age`) — asymmetric encryption using a recipient's public key. Only the holder of the matching age private key can decrypt. The key material is supplied as a secret, not inline in the configuration. ## Configuration | Argument | Type | Required | Default | Description | | -------- | ---- | -------- | ------- | ----------- | | key | string | Yes | — | Path to the field whose value will be encrypted | | algorithm | object | Yes | — | Encryption algorithm configuration | | algorithm.type | string | Yes | `aes` | Algorithm to use: `aes` or `age` | | algorithm.aes.encryption_key | secret | Yes (for `aes`) | — | Base64-encoded AES key (16, 24, or 32 bytes) | | algorithm.age.encryption_key | secret | Yes (for `age`) | — | age public key (starts with `age1...`) | ## Example Encrypt the `user.ssn` field using AES-GCM: ```json { "operation": "encrypt", "arguments": { "key": "user.ssn", "algorithm": { "type": "aes", "aes": { "encryption_key": "" } } } } ``` Given the input record: ```json { "user": { "name": "Alice", "ssn": "123-45-6789" } } ``` The output record replaces the value in place with its ciphertext: ```json { "user": { "name": "Alice", "ssn": "k9Fp2v...ciphertext..." } } ``` To use asymmetric encryption instead, set the algorithm to `age` and provide an age public key: ```json { "operation": "encrypt", "arguments": { "key": "user.ssn", "algorithm": { "type": "age", "age": { "encryption_key": "age1qz...recipient-public-key..." } } } } ``` ## Notes 1. The value is replaced in place; no new field is created. 2. `encryption_key` is provided as a secret rather than inline in the configuration. 3. For `aes`, the key must be base64-encoded and decode to 16, 24, or 32 bytes (AES-128/192/256). 4. For `age`, only the public key is used; keep the corresponding private key safe to decrypt later. 5. The ciphertext shown above is illustrative — actual output is non-deterministic.