Skip to main content
Encrypts the specified data or file using the AES algorithm.

Required Parameters

  • keyVaultEntry: The name of the encrypted vault item to use for the key. Values stored in this vault item must match the encoding set in keyVaultEntryFormat and meet the length requirement of the selected algorithm.
  • ivVaultEntry: The name of the encrypted vault item to use for the initialization vector (IV). Values stored in this vault item must match the encoding set in ivVaultEntryFormat and meet the length requirement of the selected algorithm.

Optional Parameters

  • algorithm: The name of the algorithm used for encryption. AES is currently the only supported value. It supports 128, 192, and 256-bit key lengths.
  • cipherMode: The method used to process and encrypt the data. Accepted values are: CBC, ECB, OFB, CFB, CTS, 8OFB, 8CFB, GCM, CTR, and XTS. The default is CBC.
  • paddingMode: The method used to handle extra or missing data when encrypting a message, ensuring the plaintext is correctly constructed. Accepted values are: PKCS7, Zeros, None, ANSIX923, and ISO10126. The default is PKCS7.
  • keyVaultEntryFormat: The encoding on the value stored in the keyVaultEntry item. Accepted values are: HEX, BASE64, 8BIT, and RAW. The default is HEX.
  • ivVaultEntryFormat: The encoding on the value stored in the ivVaultEntry item. Accepted values are: HEX, BASE64, 8BIT, and RAW. The default is HEX.
  • data: The data to encrypt.
  • file: The file to encrypt.
  • outFile: The file in which to store the encrypted data.
  • inFormat: The format to use for encrypted input data. Accepted values are: HEX, BASE64, 8BIT, and RAW. The default is HEX.
  • outFormat: The format to use for encrypted output data. Accepted values are: HEX, BASE64, 8BIT, and RAW. The default is HEX.

Output Attributes

  • data: The encrypted data, if outFile was not specified.
  • outFile: The file containing the encrypted data, if outFile was specified.

Example

In the following example, the cryptoEncrypt operation is used to encrypt a specific value. It uses the default AES algorithm and the default HEX encoding for the keyVaultEntryFormat and ivVaultEntryFormat parameters. Because it uses the defaults, these parameters do not need to be explicitly set. This means that the values stored in the “key” and “iv” vault items for keyVaultEntry and ivVaultEntry must be exactly 128-bit HEX encoded values. For example:
  • Value stored in the “key” vault item: 7A3F9D5C1E8B6A407D2E4C9F5B1A6D3E
  • Value stored in the “iv” vault item: C1D4A7F82E395B6C4D7A1E3F9B02586D
Failure to use values of the correct length or encoding results in errors during the encryption process. 
<!-- For the sake of this example, let's say this value comes from an API response. -->
<arc:set attr="secret.value" value="FooBar" />

<!-- Set both the Key and IV values. These are the names of the encrypted vault items. -->
<!-- If using the default AES algorithm, the values stored in each vault item need to be 128-bit HEX values. -->
<arc:set attr="input.keyVaultEntry" value="key"/>
<arc:set attr="input.ivVaultEntry" value="iv"/>

<!-- Default algorithm is AES -->
<arc:set attr="input.algorithm" value="AES" />

<!-- Pass in the input item and call cryptoEncrypt -->
<arc:set attr="input.data" value="[secret.value]"/>  
<arc:call op="cryptoEncrypt" in="input" out="result" >
  <!-- Here is where you can use the newly encrypted value/data. A message header is used here. -->
  <arc:set attr="output.Header:MyEncryptedValue" value="[result.data]" />
</arc:call>

<!-- Push the input message, with the new header, as output. -->
<arc:set attr="output.filepath" value="[Filepath]" />
<arc:push item="output" />