AES Two way password encoder
| The AES prefix is deprecated since version 2.11, use the AES2 prefix this prefix offers better cryptographic strength. Moving from AES to AES2 prefix requires you te re-generate the password strings |
Description
The AES two-way password encoder plugin allows you to encrypt and decrypt passwords using a provided key string.
The active encoder is process-global for the Hop JVM. It can be selected at startup (system properties), re-initialized when a project or environment is enabled, or switched explicitly with the Set password encoder workflow action.
Configuration
Variables and system properties
These properties can be set as system properties (-D / environment for hop scripts), as project or environment described variables, or a combination:
-
HOP_PASSWORD_ENCODER_PLUGIN: set this to the ID of this plugin:AES2(orAESfor the deprecated plugin). UseHopto fall back to obfuscation. -
HOP_AES_ENCODER_KEY: the key string used to encode or decode passwords -
HOP_AES_ENCODER_KEY_FILE: path to a file whose contents are the key (used whenHOP_AES_ENCODER_KEYis empty). Useful for Kubernetes secret mounts, for example${PROJECT_HOME}/.aes.keyor/secrets/aes.key
Key material resolution order for AES/AES2:
-
Non-empty
HOP_AES_ENCODER_KEYfrom the current variable space (or system property) -
Non-empty
HOP_AES_ENCODER_KEY_FILE(variable or system property) → read file contents
Per project / environment
When a project (and optional lifecycle environment) is enabled, Hop re-initializes the password encoder from the resulting variable space. That means:
-
Different environments can use different AES2 keys
-
Switching projects resets the encoder so a previous project’s key does not stick
-
Omitting AES settings (or setting
HOP_PASSWORD_ENCODER_PLUGIN=Hop) returns to obfuscation
Example environment config variables:
{
"variables": [
{ "name": "HOP_PASSWORD_ENCODER_PLUGIN", "value": "AES2", "description": "Use AES2 for this environment" },
{ "name": "HOP_AES_ENCODER_KEY_FILE", "value": "${PROJECT_HOME}/.aes.key", "description": "Per-project key file" }
]
} Do not commit key files into source control.
Workflow action
For an explicit, reviewable decision on the canvas, use Set password encoder. It re-binds the same process-global encoder and must not store the raw key in the workflow.
Noteworthy
Please note that passwords are encoded with prefix which is AES2 plus a space. This means that it’s different from standard, Hop encoded, passwords which have prefix AES2 which is Encrypted plus a space. The consequence of this is that you need to encode passwords either one way or another. Mixing password encoding is not supported.Encrypted
Best practices
Make sure to only use variables and parameters to specify passwords. Store the passwords in an environment using the projects plugin. This way you can store the passwords in a single file specific for the given environment (development, test, production, …).
Secure the passwords file. Even though passwords are encrypted it’s better to be safe than sorry. A password that can’t be read, encrypted or otherwise, can’t be seen in any way. So use appropriate file security on the file in which you eventually store the passwords. This advice is doubly true for the key.
You can specify the key using a variable as well.