DC 12.4 | Encryption Invoker

User Guide > Process Steps and Components > Invoker Step > Encryption Invoker

Was this helpful?

Encryption Invoker

The Encryption Invoker component facilitates the secure management of sensitive data within your organization's data flows. It achieves this by enabling the encryption and decryption of data during a DataConnect process, while adhering to established OpenPGP standards.

Data can be encrypted from files and messages and decrypted to files and messages. The input and output formats can be mixed (for example, input from a file can be output to a message). However, the fastest option is to input from a file and output to a file.

To configure this feature you set the Component Properties and Component Parameters, and then set either the Properties for Encryption or the Properties for Decryption.

Encryption Process Flow

A typical use case involves inserting an Encryption Invoker step to encrypt sensitive customer data before loading into a data warehouse.

• Encryption Mechanism: Encryption within a DataConnect process is executed using a recipient's public key file.

• Authentication (Optional): Users have the option to sign the encrypted data for authenticity. This requires using a private key and a corresponding passphrase.

• Output Handling: The resulting encrypted output can be passed along to subsequent downstream process steps or stored securely (for example, in the data warehouse).

Decryption Process Flow

When an authorized user needs to access the protected data, a subsequent DataConnect process includes an Encryption Invoker step configured for decryption.

• Decryption Mechanism: Decryption is performed using the intended recipient's private key and the associated passphrase. This process effectively "unlocks" the data.

• Integrity Verification (Optional): The Encryption Invoker automatically performs the following checks during decryption:

• An integrity check which reports any failure to the log file.

• A signature verification is performed if the signer’s public key is provided during decryption. Verification is written to the log, but the decryption does not halt if it fails.

• The key file expiration is checked during key validation. Expired keys are noted in the log, but operations are not halted if keys are expired.

• Output Handling: The decrypted output can then be utilized in subsequent process steps or directly delivered to end-users for consumption.

Supported Data Formats

The Encryption Invoker component is versatile and supports encryption/decryption for a range of data structures:

• Flat data formats

• Hierarchical data formats

• DJMessage objects

Prerequisites

The Encryption Invoker makes use of OpenPGP for encryption and decryption. Keys can be any supported length, but must be in RSA format.

Specific use cases require the following:

• For encryption, the receiver’s public key is required.

• For encryption with a signature, the receiver’s public key, the sender’s secret key, and the passphrase for the sender’s secret key are required.

• For decryption, the receiver’s secret key, and the passphrase for the receiver’s secret key are required.

• For decryption with verification of a signature, the receiver’s secret key, the passphrase for the receiver’s secret key, and the sender's public key are required.

Component Properties

The following properties are set in the Add Invoker Component dialog when the Encryption Invoker is initially configured.

Property Name	Description
Public Key File (Encrypt)	File path to recipient’s public key file for encryption. Tip... This value can be stored in macros.
Secret Key File (Decrypt)	File path to recipient’s secret key file for decryption. Tip... This value can be stored in macros.
Secret Key Passphrase (Decrypt)	Passphrase to unlock secret key for decryption.

Component Parameters

Parameter	Description
Source Message	The DJMessage object containing the source (either plain text to be encrypted, or encrypted text to be decrypted). Tip... The message body should contain the text. The message object must already exist in the process configuration, and must be initialized prior to the Invoker step.
Target Message	The DJMessage object for the results of the Invoker step. Tip... The message body will store the results of the Invoker operation. The message object must already exist in the process configuration, and must be initialized prior to the Invoker step.

Properties for Encryption

Property Name	Description
Operation	• Select Encrypt.
Input	• From File - Select if the data you wish to encrypt is stored in a file. This is the default. • From Message - Select if the data you wish to encrypt is stored in a message. Tip... The input and output formats can be mixed (for example, you can input from a file and output to a message). However, the fastest option is to input from a file and output to a file.
Input File	The path to the input file. This field is only visible when Input is set to From File.
Output	• To File - Select if the data you wish to store the encrypted data in a file. This is the default. • To Message - Select if the data you wish to store the encrypted data in a message. Tip... The input and output formats can be mixed (for example, you can input from a file and output to a message). However, the fastest option is to input from a file and output to a file.
Output File	The path to the output file. This field is only visible when Output is set to To File.
ASCII Armor	• True - Formats encrypted output as ASCII text with headers and footers. This is the default. • False - Outputs data in binary format.
Integrity Check	• True - Verifies that the data is not changed after encryption. Includes a hash value to validate whether encrypted contents have been altered after encryption. This is the default. • False - Does not verify that the data is not changed after encryption.
Signing Secret Key	(Optional.) The path to the sender’s secret key. When this is provided, the encrypted file will also be signed using your secret key.
Signing Passphrase	Required when a signing secret key is provided. The passphrase for unlocking the signing secret key.

Properties for Decryption

Property Name	Description
Operation	• Select Decrypt.
Input	• From File - Select if the data you wish to decrypt is stored in a file. This is the default. • From Message - Select if the data you wish to decrypt is stored in a message. Tip... The input and output formats can be mixed (for example, you can input from a file and output to a message). However, the fastest option is to input from a file and output to a file.
Input File	The path to the input file. This field is only visible when Input is set to From File.
Output	• To File - Select if the data you wish to store the decrypted data in a file. This is the default. • To Message - Select if the data you wish to store the decrypted data in a message. Tip... The input and output formats can be mixed (for example, you can input from a file and output to a message). However, the fastest option is to input from a file and output to a file.
Output File	The path to the output file. This field is only visible when Output is set to To File.
Signer Public Key	The path to the public key for the sender. When this is provided, the encrypted file will also be signed using your secret key.

Last modified date: 01/08/2026