# AES256

{% hint style="warning" %}
Secrets will only be reloaded if the Connector restarts.
{% endhint %}

Add the plugin to the worker classloader isolation via the **plugin.path** option:

```properties
plugin.path=/usr/share/connectors,/opt/secret-providers
```

\
The provider gets AES-256 encrypted value as a key and simply decrypts it to get the value (instead of e.g. looking up for the value somewhere).

The AES-256 encryption used for the value needs to be prefixed with base64 encoded initialisation vector and a space character, the encrypted value is also base64 encoded. So to corretly encrypt `value1` I need to follow following steps:

* `encrypted-bytes` = aes-256 encrypted `value1`
* `encrypted-base64` = base64 `encrypted-bytes`
* `initialisation-vector` = random bytes
* `iv-base64` = base64 `initialisation-vector`
* `encrypted-value` = `iv-base64` + + `encrypted-base64`

## Configuring the plugin  <a href="#configuring-the-plugin" id="configuring-the-plugin"></a>

The plugin needs to be configured with secret key that will be used for decoding. The key is a string and needs to have size of 32 bytes (UTF-8 encoded).

| Name       | Description                                                                  | Default |
| ---------- | ---------------------------------------------------------------------------- | ------- |
| aes256.key | Secret key used for encrypting and decrypting the value. String of 32 bytes. |         |

Example worker properties file:

{% code title="worker.props" %}

```properties
config.providers=aes256
config.providers.aes256.class=io.lenses.connect.secrets.providers.Aes256DecodingProvider
config.providers.aes256.param.aes256.key=aaaaaaaaaabbbbbbbbbbccccccccccdd
config.providers.aes256.param.file.dir=/tmp/aes256
```

{% endcode %}

## Usage&#x20;

To use this provider in a connector, reference the keyvault containing the secret and the key name for the value of the connector property.

The indirect reference is in the form **${provider:path:key}** where:

* **provider** is the name of the provider in the worker property file set above
* **path** used to provide encoding of the value: utf8, utf8\_file, base64, base64\_file
* **key** is the AES-256 encrypted value to be decrypted by the plugin

For example, if `hello` aes-256 encrypted using some key equals to `xyxyxy` - then if I configure connector to use `${aes256::xyxyxy}` for a parameter value, the value should be substituted with “hello” string:

{% code title="connector.props" %}

```properties
name=my-sink
class=my-class
topics=mytopic
greeting=${aes256::xyxyxy}
```

{% endcode %}

This would resolve at runtime to:

```properties
name=my-sink
class=my-class
topics=mytopic
greeting=hello
```

`path` belonging to key reference is used to specify encoding used to pass the value. The provider supports following encodings:

* base64: base-64 encoding of the textual value
* base64\_file: base-64 encoding of the value that when decrypted should be stored in the file
* utf8\_file: utf-8 encoding of the value that when decrypted should be stored in the file
* utf8: utf-8 encoding of textual value

The UTF8 means the value returned is the decrypted value of the encrypted value (key). The BASE64 means the value returned is the base64 decoded decrypted value of the encrypted value (key).

If the value for the encoding is UTF8\_FILE the string contents are written to a file. The name of the file will be randomply generated. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.

If the value for the encoding is BASE64\_FILE the string contents are based64 decoded and written to a file. The name of the file will be randomply generated. For example, if a connector needs a PEM file on disk, set this as the path as BASE64\_FILE. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.

If the key reference path is not set or is set to unknown value - utf8 encoding is used as default.

For example, if we want to save `hi there !` to the file, and aes-256 encrypted content equals `xyxyxy` - then if I configure connector to use `${aes256:utf8_file:xyxyxy}` for a parameter value, the provider will create new file with random name (`abc-def-ghi`) and store `hi there !` to the file. If configured store directory is `/store-root`, he value will be substituted with `/store-root/secrets/abc-def-ghi` string:

{% code title="connector.props" %}

```properties
name=my-sink
class=my-class
topics=mytopic
greeting=${aes256:utf8_file:xyxyxy}
```

{% endcode %}

resolves to

```properties
name=my-sink
class=my-class
topics=mytopic
greeting=/store-root/secrets/abc-def-ghi
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.lenses.io/latest/connectors/secret-providers/aes256.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.