AES-GCM Encrypt
AES-GCM Encrypt encrypts plaintext using AES in GCM mode and returns a single packed output containing:
IV + SALT + CIPHER_TEXT + TAG
If Generate Key is enabled, the step generates a random session key and salt, derives the AES key using PBKDF2, and writes the session key back to the message.
Parameters
ITERATIONS
Number of PBKDF2 iterations used when deriving the AES key.
Default: 65536
KEY_LENGTH
Length (in bytes) of the derived AES key.
Default: 32
TAG_LENGTH
Length (in bytes) of the AES-GCM authentication tag.
Default: 16
GENERATE_KEY
When enabled, generates a random session key and salt, derives the AES key using PBKDF2, and writes the session key to KEY_PARAM.
When disabled, the step reads the AES key directly from the parameter named in KEY_PARAM (decoded using KEY_ENCODING).
Default: true
SESSION_KEY_LENGTH
Length (in characters) of the generated session key (only used when GENERATE_KEY=true).
Default: 16
IV_LENGTH
Length (in bytes) of the generated IV/nonce. For AES-GCM, 12 bytes is recommended.
Default: 12
SALT_LENGTH
Length (in bytes) of the generated salt (only used when GENERATE_KEY=true).
Default: 16
RANDOM_FORMAT
Format used for random values (IV, salt) and generated session key.
Supported values:
alnum(default)bytes
Default: alnum
HASH_ALGORITHM
Hash algorithm used by PBKDF2 while deriving the key.
Default: SHA256
KEY_ENCODING
Encoding used for the session key / AES key input depending on GENERATE_KEY.
- If
GENERATE_KEY=true: used by the session key generator. - If
GENERATE_KEY=false: used to decode the provided AES key into bytes.
Default: base64
IV_ENCODING
Encoding used when generating IV bytes (implementation-dependent).
Default: utf8
SALT_ENCODING
Encoding used when generating salt bytes (implementation-dependent).
Default: utf8
PLAIN_TEXT_ENCODING
Encoding used to convert plaintext to bytes before encryption.
Default: utf8
CIPHER_TEXT_ENCODING
Encoding used to convert the packed output bytes into the final ciphertext string.
Default: base64
KEY_PARAM
Message parameter name used for the session key output (when GENERATE_KEY=true) or AES key input (when GENERATE_KEY=false).
Direction: InOut
Default: KEY
PLAIN_TEXT_PARAM
Message parameter name that contains the plaintext input.
Direction: In
Default: PLAIN_TEXT
CIPHER_TEXT_PARAM
Message parameter name that receives the packed ciphertext output.
Direction: Out
Default: CIPHER_TEXT
Execution Context Behavior
- Reads plaintext from
PLAIN_TEXT_PARAMand converts it to bytes usingPLAIN_TEXT_ENCODING. - Generates a random IV of
IV_LENGTH. - If
GENERATE_KEY=true:- Generates a random salt of
SALT_LENGTH. - Generates a random session key of
SESSION_KEY_LENGTH. - Derives an AES key using PBKDF2 with
ITERATIONS,HASH_ALGORITHM, andKEY_LENGTH. - Writes the session key into the message parameter named by
KEY_PARAM.
- Generates a random salt of
- If
GENERATE_KEY=false:- Reads the key from
KEY_PARAMand decodes it usingKEY_ENCODINGto get the AES key bytes.
- Reads the key from
- Encrypts using AES-GCM producing
CIPHER_TEXTbytes andTAGbytes. - Packs the result as:
IV + SALT + CIPHER_TEXT + TAG. - Encodes the packed bytes using
CIPHER_TEXT_ENCODINGand writes toCIPHER_TEXT_PARAM.
Example Configuration
| Parameter | Value |
|---|---|
| ITERATIONS | 65536 |
| KEY_LENGTH | 32 |
| TAG_LENGTH | 16 |
| GENERATE_KEY | true |
| SESSION_KEY_LENGTH | 16 |
| IV_LENGTH | 12 |
| SALT_LENGTH | 16 |
| RANDOM_FORMAT | alnum |
| HASH_ALGORITHM | SHA256 |
| KEY_ENCODING | base64 |
| IV_ENCODING | utf8 |
| SALT_ENCODING | utf8 |
| PLAIN_TEXT_ENCODING | utf8 |
| CIPHER_TEXT_ENCODING | base64 |
| KEY_PARAM | KEY |
| PLAIN_TEXT_PARAM | PLAIN_TEXT |
| CIPHER_TEXT_PARAM | CIPHER_TEXT |
Example Result
KEY = [generated value]
CIPHER_TEXT = [base64 packed output]