Skip to main content

Decrypt

Security Elastic Compatible

Schema

decrypt:
  - algorithm: <ident>
  - encryption_key: <string>
  - field: <ident>
  - iv_field: <ident>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - ignore_missing: <boolean>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>
  - with_compression: <boolean>

Synopsis

Decrypts encrypted string values using AES encryption with a specified key and initialization vector.

Configuration

FieldRequiredDefaultDescription
algorithmY-Encryption algorithm to use. Valid values: AES-256-GCM or AES-256-CFB
encryption_keyY-32-byte key used for decryption
fieldY-Field containing the encrypted value to be decrypted
iv_fieldY-Field containing the initialization vector
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseSee Handling Failures
ignore_missingNfalseIf true and field does not exist or is null, exit quietly without making any modifications
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier
with_compressionNfalseEnable compression during decryption

Details

The processor supports both AES-256-GCM (Galois/Counter Mode) and AES-256-CFB (Cipher Feedback) modes:

  • AES-256-GCM (Galois/Counter Mode) - Provides both confidentiality and authenticity. This is more secure against tampering, although slightly slower than the CFB mode.

  • AES-256-CFB (Cipher Feedback) - Provides confidentiality. This is faster than the GCM mode, although there is no built-in authentication.

warning

The encryption key must be exactly 32 bytes long for the AES-256 encryption, and both the encrypted value and IV must be base64 encoded strings.

Unsupported algorithms will result in error.

note

To improve performance, the processor automatically caches cipher instances for repeated use with the same encryption key.

Examples

AES-256-CFB

When decrypting in the CFB mode...

{
  "encrypted_value": "vFza",
  "iv": "FmXUb0OPOWm1A2kw6diKYw=="
}
decrypt:
  - field: encrypted_value
  - iv_field: iv
  - encryption_key: 6B58703273357638792F423F4528482B
  - algorithm: AES-256-CFB

the decrypted value is stored in place:

{
  "encrypted_value": "bar",
  "iv": "FmXUb0OPOWm1A2kw6diKYw=="
}

AES-256-GCM with Compression

Using the GCM mode with compression...

{
  "secret": "KZh/JR2baS2MkZpseKZYoBN2tQ==",
  "vector": "F+e8YorshrvFiFTC"
}
decrypt:
  - field: secret
  - iv_field: vector
  - encryption_key: 6B58703273357638792F423F4528482B
  - algorithm: AES-256-GCM
  - with_compression: true

decompresses the values after decryption:

{
  "secret": "bar",
  "vector": "F+e8YorshrvFiFTC"
}

Error Handling

If an invalid key length is specified...

{
  "data": "encrypted_string",
  "iv": "initialization_vector"
}
decrypt:
  - field: data
  - iv_field: iv
  - encryption_key: too_short
  - algorithm: AES-256-CFB
  - ignore_failure: true

the raised error is captured:

{
  "data": "encrypted_string",
  "iv": "initialization_vector",
  "error": {
    "message": "encryption key must be 32 bytes for AES-256"
  }
}