Functionality
Some places in Hop accept a free-form string (for example a VFS URI with a password in the userinfo section) and never call the password decoder themselves. If you put a Hop-encoded value such as Encrypted … or AES2 … directly in that string, the backend receives the encoded text instead of the real password.
The Hop Password Variable Resolver bridges that gap: it calls the same decoder used for connection passwords (Encr.decryptPasswordOptionallyEncrypted) so you can keep encoded secrets in environment or project variables and still use them where only a plain string is accepted.
| This resolver is an interoperability helper for trusted operators. It is not a confidentiality feature. The default Hop password encoder is obfuscation (reversible with a public seed). For real protection at rest, use the AES2 password encoder and/or a secrets-manager resolver (Vault, Azure Key Vault, Google Secret Manager). |
Options
-
Resolve argument as a variable name (recommended, enabled by default): the text after the colon is a variable name. Hop looks up that variable and decrypts its value.
-
When Resolve argument as a variable name is disabled, the text after the colon is treated as a literal encoded password and decrypted as-is.
-
Fail if variable is not defined (disabled by default): only applies when resolving a variable name. When enabled, an undefined variable causes an error so the pipeline or workflow fails. When disabled, a missing variable leaves the original expression unchanged.
Enable Fail if variable is not defined in production environments where a missing password variable should stop the run rather than silently leave #{hop-pwd:…} unresolved. |
Expression format
Create a Variable Resolver metadata entry (for example named hop-pwd) of type Hop Password Variable Resolver.
With Resolve argument as a variable name enabled (cleaner expressions):
{openvar}hop-pwd:SFTP_PASSWORD{closevar} If variable SFTP_PASSWORD holds Encrypted 2be98afc… (or an AES2 … value when AES2 is configured), the expression resolves to the plaintext password.
With the option disabled (literal ciphertext in the expression):
{openvar}hop-pwd:Encrypted 2be98afc86aa7f2e4cb79a369ce93bcc9{closevar} Prefer the variable-name form so pipelines do not embed ciphertext.
SFTP / VFS example
Store the encoded password in a project or environment variable, for example:
SFTP_USER=myuser
SFTP_PASSWORD=Encrypted 2be98afc86aa7f2e4cb79a369ce93bcc9
SFTP_HOST=myserver Then use a URI such as:
sftp://${SFTP_USER}:{openvar}hop-pwd:SFTP_PASSWORD{closevar}@${SFTP_HOST}/path/to/file After resolution, VFS receives a normal URI with a plaintext password in userinfo. Avoid logging resolved URIs at Detailed/Debug level if they may contain credentials.
Security notes
-
Anyone who can author pipelines and configure variable resolvers is already a trusted operator in Hop’s threat model.
-
Decrypting default
Encrypted …values was always possible offline; this resolver only makes intentional use practical. -
With AES2, decryption still requires
HOP_AES_ENCODER_KEYon the runtime; without the key, resolution fails the same way as other password fields. -
Prefer secrets managers when you can keep credentials out of Hop project files entirely.