In this article

Overview

You can use this Snap to encrypt individual field values in the input documents.

Snap Type

The Encrypt Field Snap is a Transform-type Snap.

Prerequisites

None.

Support for Ultra Pipelines

Works in Ultra Task Pipelines.

Snap Views

TypeFormatNumber of ViewsExamples of Upstream and Downstream SnapsDescirption

Input

Document

  • Min:1
  • Max:1
Any Snap with a document output viewStream of documents with a nested or flat map data

Output

Document

  • Min:1
  • Max:1
Any Snap with a document input viewSame as input documents with specified field values encrypted

Error

This Snap has at most one document error view and produces zero or more documents in the view.

Account

KeyStore account or Passphrase-based Key account can used.

Use KeyStore account for X.509 key or secret (symmetric) key.

If no account is selected, the Key property should have an expression to be evaluated with the input document or the Pipeline parameter.

Snap Settings

Field

Field Type

Description

Label

Default Value: Encrypt Field
ExampleEncrypt Field

String

Fields to encrypt

Default Value:
Example:

String

Use this field set to define the field path.

Field path*

Default Value:
Example:

StringA table for JSON-path expressions to fields to encrypt. Use the suggest button to select the field to encrypt.

Transform type


Default Value: auto
Example:

  • AES/GCM/NoPadding
  • DES/CBC/PKCS5Padding
String

The cryptographic transformation to perform, expressed as algorithm/mode/padding. Use the suggest button to select a desired transformation type. 

When set to auto the transformation will be automatically selected based on the type of encryption key using the following table:

Key Algorithm

Transformation

AES

AES/GCM/NoPadding

DES

DES/CBC/PKCS5Padding

DESede

DESede/CBC/PKCS5Padding

RSA

RSA/None/OAEPWithSHA-256AndMGF1Padding


Advanced Options


Key


Default value: None
Example: $key

String

Specify a JSON path or select the path by enabling the expression field that the Snap must evaluate with input document or pipeline parameter. The result must be the base64, PEM-encoded key, or non-encoded RSA public key.

  • This property is required if no account is selected.

  • The Snap supports the RSA public key that encrypts the data using the public key and needs an RSA private key to decrypt a message.

  • For a sample pipeline using X.509 certificate, refer to the attached pipeline file below:

Example_BINARY_Encrypt Decrypt X.509 certificate from input document.

  • For a sample pipeline using the RSA public key, refer to the attached pipeline file below:

Example_Encrypt Decrypt_RSA public key from input document.

Initialization vector


Default value: None
Example: $iv

String

JSON-path expression to be evaluated with input documents or pipeline parameters to be the base64-encoded initialization vector. Leave empty to generate one automatically. Note that the content of the initialization vector should be different for every encryption operation. Reusing IVs will make the encryption operation less secure.


Encapsulate output

Default Value: Selected

Checkbox

If selected, encrypted fields are JSON-encoded and encapsulated between "ENC:" and ":ENC" strings. When unselected, the field to be encrypted will be replaced with an object with the output of the encryption operation as needed to perform the decryption.

Snap Execution

Default Value: Vallidate & Execute
Example: Execute only

Dropdown list

Examples

Encrypting and Decrypting Messages Using RSA Public and Private Key

The example pipeline demonstrates how to use RSA public key to encrypt messages.

Download this pipeline.

Step 1: Configure the Mapper Snap with a message that you want to encrypt and with the RSA public key.

Step 2: Configure the Encrypt Field Snap with the encrypted message. On validation, the encrypted message displays in the output.


Step 3: Configure the Mapper Snap to extract the message using the decryption key, which is an RSA private key.

Step 4: Configure the Decrypt Field Snap with the decryption key that you pass from the upstream Mapper Snap. On validation, the Decrypt Snap displays the decrypted message in the output.

Encrypt Field Snap Without An Account: Decrypting Data With Snowflake DECRYPT_RAW Function in AES/GCM/NoPadding

The following example Pipeline demonstrates how to decrypt data that has been encrypted by the Encrypt Field Snap (without an account) by using the Snowflake DECRYPT_RAW function.

Step 1: Configure the Mapper Snap with the following data:

  • Enter the message (Hello, world!). This is a sample message that is to be encrypted.

  • Pass an expression Base64.encode('<passphrase>') to generate a 32 Byte encryption key. A 24-byte passphrase generates a 32-byte key. You can also pass the encryption key as a Pipeline parameter.

  • Enter This is a sample aad in the 'aad' field, which is a required field if you intend to decrypt the data in Snowflake in AES/GCM/NoPadding. The key name ‘aad' is case-sensitive.

Step 2: Configure the Encrypt Field Snap as follows:

  • Specify $msg in the Field path. The Snap encrypts the Hello,world! message.

  • Select the Transform type as AES/GCM/NoPadding which is the common encryption type. The Snap transforms the message and displays it as an algorithm/mode/nopadding.

  • Under Advanced options specify Key as $encryption_key and Initialization vector as $iv. We do not use any account in the Encrypt Field Snap; hence, we pass an encryption key in the Key field.

  • Deselect Encapsulate output checkbox.

Step 3: Configure the Snowflake Execute Snap as follows:

  • Enter the followng query with DECRYPT_RAW function in the SQL Statement field.

    "select decrypt_raw(base64_decode_binary('" + $msg.ciphertext + "'),
    base64_decode_binary('" + $encryption_key + "'),
    base64_decode_binary('" + $msg.iv + "'),
    base64_decode_binary('" + $msg.aad + "'),
    'AES-GCM',
    base64_decode_binary('" + $msg.aead_tag + "'))
  as decrypted,
    hex_decode_string(to_varchar(decrypted))
  as decrypted_and_decoded"


  •  Use base64_decode_binary function to decode each field except for AES-GCM.

  • Select a valid Snowflake account for the Snowflake Execute Snap.

Step 4: Validate the Pipeline. Note the DECRYPTED_AND_DECODED field in the output of Snowflake Execute Snap is the same as the original message before encryption.


         

Download this Pipeline.

Encrypt Field Snap With Passphrase-based Key Account: Decrypting Data With Snowflake DECRYPT_RAW function in AES/GCM/NoPadding

The following example Pipeline demonstrates how to decrypt data which has been encrypted by Encrypt Field Snap (with Passphrase-based Key account) by using the Snowflake DECRYPT_RAW function.

Step 1: Configure the Mapper Snap with the following data:

  • Enter the message (Hello, world!).

  • Pass an expression "Base64.encode'<passphrase>') to generate a 32 Byte encryption key. A 24-byte passphrase generates a32-byte key.

  • You can also pass the encryption key as a Pipeline parameter.

  • Enter This is a sample aad in the ‘aad’ field, which is a required field if you intend to decrypt the data in Snowflake in AES/GCM/NoPadding. The key name ‘aad' is case-sensitive.

Step 2: Configure the Encrypt Field Snap as follows:

  • Configure a Passprhase-based Key account as follows:

    • Enter “SnowflakeSnapLogic123456” in the ‘Passphrase’ field.

    • Enter AES in the Algorithm field.

    • Enter 256 in the Key Size field.

  • Specify $msg in the Field path. The Snap encrypts the Hello,world! message.

  • Select the Transform type as AES/GCM/NoPadding. The Snap transforms the message and displays it as an algorithm/mode/nopadding.

  • Under Advanced options leave the Key blank and specify Initialization vector as $iv.

  • Deselect Encapsulate output checkbox.


Step 3: Configure the Snowflake Execute Snap with a valid Snowflake account as follows:

  • Enter the following query in the SQL Statement field:

    "select decrypt_raw(base64_decode_binary('" + $msg.ciphertext + "'),
    sha2_binary('SnowflakeSnapLogic123456', 256),
    base64_decode_binary('" + $msg.iv + "'),
    base64_decode_binary('" + $msg.aad + "'),
    'AES-GCM',
    base64_decode_binary('" + $msg.aead_tag + "'))
  as decrypted,
    hex_decode_string(to_varchar(decrypted))
  as decrypted_and_decoded"


  • Use sha2_binary('<encryption_key>', 256). For example,, 'SnowflakeSnapLogic123456' for '<encryption_key>'.

  • Use base64_decode_binary function to decode each field except for 'AES-GCM.'

Step 4: Validate the Pipeline. Note the DECRYPTED_AND_DECODED field in the output of Snowflake Execute Snap is the same as the original message before encryption.

Download this Pipeline.

Encrypt and Decrypt Input Documents

In this pipeline, the JSON Generator Snap, passes the values to the Encrypt Field Snap that provides the fields to be encrypted. The Upstream Mapper Snap maps the values to be decrypted to the Decrypt Field Snap.

The JSON Generator Snap passes the values to the Encrypt Field Snap. Note that the key value is also provided.

The Encrypt Field Snap provides the values to be encrypted. The key value $key is passed via the input document.

The output preview from the Encrypt Field Snap:

The Mapper Snap maps the values including the key value to the Decrypt Field Snap.

The Decrypt Field Snap decrypts the provided fields.

The output preview from the Decrypt Field Snap:


Encrypt and Decrypt Using Passphrase Account with Selected Algorithm Transform Type

In this pipeline, the CSV Generator Snap supplies the values to the Field Encrypt Snap which provides the fields to be encrypted.The Decrypt Snap decrypts the fields and passes the required field values using the downstream Mapper Snap. The Snaps use the PassPhrase-based Account. 

The Passphrase Account set with a nine digit phrase and a key size of 128.

The CSV Generator Snap passes the values to the Encrypt Snap.

The Field Encrypt Snap encrypts the provided fields, $Phone_m, $Phone_h, $Phone_w.  The Transform type is selected from the suggested list.

The output preview from the Field Encrypt Snap: (Note the encrypted values followed by ENC:...)

The Decrypt Field Snap decrypts the field, $Phone_h. Note that the output preview has the Phone_h field decrypted.

The Mapper Snap passes the field $Phone_h values to the output preview:



Encrypt and Decrypt Using KeyStore Account with Auto Transform Type

In this pipeline, the JSON Generator Snap passes the values to the Mapper Snap that maps them to the Encrypt Field Snap for the values to be encrypted and then decrypt the values as provided in the Decrypt Field Snap.

The Keystore Account set with the Keystore location as secret_key.jks.

The JSON Generator Snap provides the values to the Mapper Snap.

The Mapper Snap maps the values to be passed to the Encrypt Field Snap.

The Encrypt Field Snap provides the fields to be encrypted. The Transform type is selected 'auto' which means that the Snap selects the algorithm as registered in the KeyStore file in the Account. 

The output preview from the Encrypt Field Snap:

The Decrypt Field Snap decrypts the fields as provided.

The successful execution of the pipeline displays the below output preview:

   

Downloads