{decrypt:text:key:output_type}

Description

Decrypts a ciphertext that was produced by the encrypt command, using key as the password, and returns the original plaintext. AA uses AES-256-GCM (via the PHP sodium extension); the key string is turned into a 32-byte key automatically - short keys are padded, long keys are hashed - so any key length works, but the SAME key must be used to encrypt and decrypt. Decryption is authenticated: if the key is wrong or the ciphertext was altered or is not a valid ciphertext, decrypt returns an empty string instead of an error or garbage. The third parameter output_type is deprecated and ignored (kept only for backward compatibility; the legacy mcrypt format is no longer supported). Encryption uses a fresh random nonce each time, so encrypting the same text twice gives two different ciphertexts that both decrypt back to the same plaintext.

Parameters

text required default (empty)

The ciphertext to decrypt - a value previously produced by the encrypt command. If it is not a valid ciphertext (too short, altered, or plain text) the result is an empty string.

key required default (empty)

The password/key used to decrypt. It must be exactly the same key that was used to encrypt the text. Any length is accepted (it is normalized to a 32-byte AES key internally). A wrong key yields an empty string.

output_type optional default (empty)

Deprecated and ignored. In older AA versions the value url selected a url-safe encoding for the legacy mcrypt format; that format is no longer supported, so this parameter has no effect today.

Examples

test{decrypt:{encrypt:hello:demokey}:demokey}

Expectedhello

Actualhello

Encrypt a value and decrypt it back with the SAME key. The result always equals the original plaintext. This is the basic round-trip: the same key must be used for both steps.

test[{decrypt:lfNr4o1ve_uXeNj75VUig5zTHwdxyV_5uSCXwyQw:demokey}]

Expected[hello]

Actual[hello]

Decrypt a ciphertext you already have (for example one produced earlier by {encrypt:...} and saved). With the correct key the plaintext comes back. The ciphertext here was made from the text hello with key demokey.

test[{decrypt:lfNr4o1ve_uXeNj75VUig5zTHwdxyV_5uSCXwyQw:wrongkey}]

Expected[]

Actual[]

If the key does not match the one used to encrypt, authentication fails and {decrypt:...} returns an empty string (it never returns garbage or a partial result). The brackets here show the empty result.

test[{decrypt:notacipher:demokey}]

Expected[]

Actual[]

Any input that is not a valid ciphertext (too short, tampered, or plain text) also returns an empty string. Decrypt fails safely rather than erroring out.

test{decrypt:{encrypt:APC-AA news:s3cret-pass}:s3cret-pass}

ExpectedAPC-AA news

ActualAPC-AA news

The text and the key can be any length. AA derives a 32-byte AES key from whatever key string you pass (short keys are padded, long keys are hashed), so a passphrase like s3cret-pass works. Spaces in the text are preserved.

virtual{decrypt:{token...........}:my-server-key}

Expected(the decrypted value of the token field, or empty if the key is wrong)

Typical use: an item field holds a value that was encrypted on save, and you decrypt it for display using a key your template supplies (for example a constant or a server-side secret). The output depends on the stored ciphertext and the key, so this example is illustrative.

← All expressions