Set password encoder
Description
The Set password encoder action enables or switches the process-global two-way password encoder from a specific point in a workflow.
Use this when the choice of encoder (Hop obfuscation, AES2, and so on) should be a visible decision on the canvas, not only a setting hidden in environment configuration.
Default configuration for a project or environment should still use project/environment variables (see AES two-way password encoder). This action is for explicit, auditable control in a workflow.
| The encoder is process-global. Changing it affects every concurrent pipeline and workflow in the same JVM after this action runs. Place it before any step that needs the new encoder to decrypt secrets. |
Options
| Option | Description |
|---|---|
Action name | The name of the workflow action. |
Encoder plugin ID | Plugin ID to activate: |
Key variable name | Name of the variable that holds the AES/AES2 key (default |
Key file path | Optional path to a file containing the AES/AES2 key (supports variables). Used when the key variable is empty. Suitable for Kubernetes secret mounts. |
Best practices
-
Prefer environment config variables for day-to-day keys; use this action when the switch must be visible in the workflow.
-
Inject the key via the environment, a secrets manager, or a key file — never commit keys into HWF or git.
-
Set plugin ID to
Hopto disable AES for subsequent steps (return to obfuscation). -
Mixing ciphertext prefixes (
Encrypted,AES,AES2) is not supported for a single active encoder.