You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs(vrl): add documentation for IPCrypt functions
Add documentation for the new `encrypt_ip` and `decrypt_ip` VRL functions
that implement format-preserving encryption for IP addresses.
These functions support two modes:
- AES128: Scrambles entire IP address using AES-128 encryption
- PFX: Prefix-preserving mode that maintains network hierarchy
The functions implement the `ipcrypt-deterministic` and `ipcrypt-pfx`
algorithms from the IPCrypt specification.
Related PR: vectordotdev/vrl#1506
Decrypts an IP address that was previously encrypted, restoring the original IP address.
7
+
8
+
Supported Modes:
9
+
10
+
* AES128 - Decrypts an IP address that was scrambled using AES-128 encryption. Can transform between IPv4 and IPv6.
11
+
* PFX (Prefix-preserving) - Decrypts an IP address that was encrypted with prefix-preserving mode, where network hierarchy was maintained.
12
+
"""
13
+
notices: [
14
+
"""
15
+
The `aes128` mode implements the `ipcrypt-deterministic` algorithm from the IPCrypt specification, while the `pfx` mode implements the `ipcrypt-pfx` algorithm. This function reverses the encryption performed by `encrypt_ip` - the same key and algorithm that were used for encryption must be used for decryption.
16
+
""",
17
+
]
18
+
19
+
arguments: [
20
+
{
21
+
name: "ip"
22
+
description: "The encrypted IP address to decrypt (v4 or v6)."
23
+
required: true
24
+
type: ["string"]
25
+
},
26
+
{
27
+
name: "key"
28
+
description: "The decryption key in raw bytes (not encoded). Must be the same key that was used for encryption. For AES128 mode, the key must be exactly 16 bytes. For PFX mode, the key must be exactly 32 bytes."
29
+
required: true
30
+
type: ["string"]
31
+
},
32
+
{
33
+
name: "mode"
34
+
description: "The decryption mode to use. Must match the mode used for encryption: either `aes128` or `pfx`."
35
+
required: true
36
+
type: ["string"]
37
+
},
38
+
]
39
+
internal_failure_reasons: [
40
+
"`ip` is not a valid IP address.",
41
+
"`mode` is not a supported mode (must be `aes128` or `pfx`).",
42
+
"`key` length does not match the requirements for the specified mode (16 bytes for `aes128`, 32 bytes for `pfx`).",
Encrypts an IP address, transforming it into a different valid IP address.
7
+
8
+
Supported Modes:
9
+
10
+
* AES128 - Scrambles the entire IP address using AES-128 encryption. Can transform between IPv4 and IPv6.
11
+
* PFX (Prefix-preserving) - Maintains network hierarchy by ensuring that IP addresses within the same network are encrypted to addresses that also share a common network. This preserves prefix relationships while providing confidentiality.
12
+
"""
13
+
notices: [
14
+
"""
15
+
The `aes128` mode implements the `ipcrypt-deterministic` algorithm from the IPCrypt specification, while the `pfx` mode implements the `ipcrypt-pfx` algorithm. Both modes provide deterministic encryption where the same input IP address encrypted with the same key will always produce the same encrypted output.
16
+
""",
17
+
]
18
+
19
+
arguments: [
20
+
{
21
+
name: "ip"
22
+
description: "The IP address to encrypt (v4 or v6)."
23
+
required: true
24
+
type: ["string"]
25
+
},
26
+
{
27
+
name: "key"
28
+
description: "The encryption key in raw bytes (not encoded). For AES128 mode, the key must be exactly 16 bytes. For PFX mode, the key must be exactly 32 bytes."
29
+
required: true
30
+
type: ["string"]
31
+
},
32
+
{
33
+
name: "mode"
34
+
description: "The encryption mode to use. Must be either `aes128` or `pfx`."
35
+
required: true
36
+
type: ["string"]
37
+
},
38
+
]
39
+
internal_failure_reasons: [
40
+
"`ip` is not a valid IP address.",
41
+
"`mode` is not a supported mode (must be `aes128` or `pfx`).",
42
+
"`key` length does not match the requirements for the specified mode (16 bytes for `aes128`, 32 bytes for `pfx`).",
0 commit comments