Set password encoder

Description

The Set password encoder action enables or switches the process-global two-way password encoder from a specific point in a workflow.

Use this when the choice of encoder (Hop obfuscation, AES2, and so on) should be a visible decision on the canvas, not only a setting hidden in environment configuration.

Default configuration for a project or environment should still use project/environment variables (see AES two-way password encoder). This action is for explicit, auditable control in a workflow.

The encoder is process-global. Changing it affects every concurrent pipeline and workflow in the same JVM after this action runs. Place it before any step that needs the new encoder to decrypt secrets.

Options

Option Description

Action name

The name of the workflow action.

Encoder plugin ID

Plugin ID to activate: Hop (obfuscation), AES2 (recommended), or AES (deprecated). Other registered two-way password encoder IDs can be typed as well.

Key variable name

Name of the variable that holds the AES/AES2 key (default HOP_AES_ENCODER_KEY). Do not put the raw key in the workflow definition.

Key file path

Optional path to a file containing the AES/AES2 key (supports variables). Used when the key variable is empty. Suitable for Kubernetes secret mounts.

Best practices

  • Prefer environment config variables for day-to-day keys; use this action when the switch must be visible in the workflow.

  • Inject the key via the environment, a secrets manager, or a key file — never commit keys into HWF or git.

  • Set plugin ID to Hop to disable AES for subsequent steps (return to obfuscation).

  • Mixing ciphertext prefixes (Encrypted, AES, AES2) is not supported for a single active encoder.