dybyte commented on issue #10246:
URL: https://github.com/apache/seatunnel/issues/10246#issuecomment-3734635435
# **FieldEncrypt Transform Design Document**
---
## **Configuration**
```bash
transform {
FieldEncrypt {
fields = ["phone", "email"]
algorithm = "AES_CBC"
key = "base64:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" # Base64-encoded key
mode = "ENCRYPT" # ENCRYPT or DECRYPT
}
}
```
### **Parameters**
| **Parameter** | **Type** | **Required** | **Default** | **Description** |
| --- | --- | --- | --- | --- |
| `fields` | List<String> | Yes | - | List of fields to encrypt/decrypt |
| `algorithm` | Enum | No | `AES_CBC` | Encryption algorithm |
| `key` | String | Yes | - | Base64-encoded encryption key |
| `mode` | Enum | No | `ENCRYPT` | Operation mode: `ENCRYPT` or `DECRYPT` |
---
## **Key Design Decisions**
### **1. Encryption Algorithms**
- AES/CBC/PKCS5Padding (random IV)
- For AES/CBC, a random IV is generated per record and
appended to the ciphertext.
---
### **2. Supported Data Types**
**Decision**: **String fields only**
- Can be extended to other types in future versions if needed
---
### **3. Encryption/Decryption Mode**
**Decision**: transform with `mode` parameter
Decryption or encryption errors will cause the job to fail fast.
---
### 4. Key
The decoded key length must be valid for the selected AES variant (e.g.,
16/24/32 bytes).
Invalid keys will cause job startup failure.
---
## **Usage Examples**
### **Example 1: Encryption**
```bash
transform {
FieldEncrypt {
fields = ["phone", "email"]
key = "base64:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
mode = "ENCRYPT"
}
}
```
---
### **Example 2: Multi-Table Transform**
```bash
source {
FakeSource {
tables_configs = [
{
row.num = 100
schema = {
table = "test.abc"
columns = [
{ name = "id", type = "bigint" },
{ name = "name", type = "string" },
{ name = "address", type = "string" }
]
}
},
{
row.num = 100
schema = {
table = "test.xyz"
columns = [
{ name = "id", type = "bigint" },
{ name = "name", type = "string" },
{ name = "age", type = "string" }
]
}
},
{
row.num = 100
schema = {
table = "test.www"
columns = [
{ name = "id", type = "bigint" },
{ name = "name", type = "string" },
{ name = "age", type = "string" }
]
}
}
]
}
}
transform {
FieldEncrypt {
fields = ["age"]
key = "base64:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
algorithm = "AES_CBC"
mode = "ENCRYPT"
table_transform = [
{
table_path = "test.abc"
fields = ["address"]
}
]
}
}
sink {
Console {}
}
```
---
### **Example 3: Decryption**
```bash
transform {
FieldEncrypt {
fields = ["phone", "email"]
key = "base64:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
mode = "DECRYPT"
}
}
```
---
**Note**: Initial implementation will focus on core functionality, with
plans for future feature expansion.
I appreciate any feedback or suggestions for improvements. If you have ideas
for additional features or enhancements, please let us know in the comments.
Thank you for your input!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
