Functionality

Some places in Hop accept a free-form string (for example a VFS URI with a password in the userinfo section) and never call the password decoder themselves. If you put a Hop-encoded value such as Encrypted …​ or AES2 …​ directly in that string, the backend receives the encoded text instead of the real password.

The Hop Password Variable Resolver bridges that gap: it calls the same decoder used for connection passwords (Encr.decryptPasswordOptionallyEncrypted) so you can keep encoded secrets in environment or project variables and still use them where only a plain string is accepted.

This resolver is an interoperability helper for trusted operators. It is not a confidentiality feature. The default Hop password encoder is obfuscation (reversible with a public seed). For real protection at rest, use the AES2 password encoder and/or a secrets-manager resolver (Vault, Azure Key Vault, Google Secret Manager).

Options

  • Resolve argument as a variable name (recommended, enabled by default): the text after the colon is a variable name. Hop looks up that variable and decrypts its value.

  • When Resolve argument as a variable name is disabled, the text after the colon is treated as a literal encoded password and decrypted as-is.

  • Fail if variable is not defined (disabled by default): only applies when resolving a variable name. When enabled, an undefined variable causes an error so the pipeline or workflow fails. When disabled, a missing variable leaves the original expression unchanged.

Enable Fail if variable is not defined in production environments where a missing password variable should stop the run rather than silently leave #{hop-pwd:…} unresolved.

Expression format

Create a Variable Resolver metadata entry (for example named hop-pwd) of type Hop Password Variable Resolver.

With Resolve argument as a variable name enabled (cleaner expressions):

{openvar}hop-pwd:SFTP_PASSWORD{closevar}

If variable SFTP_PASSWORD holds Encrypted 2be98afc…​ (or an AES2 …​ value when AES2 is configured), the expression resolves to the plaintext password.

With the option disabled (literal ciphertext in the expression):

{openvar}hop-pwd:Encrypted 2be98afc86aa7f2e4cb79a369ce93bcc9{closevar}

Prefer the variable-name form so pipelines do not embed ciphertext.

SFTP / VFS example

Store the encoded password in a project or environment variable, for example:

SFTP_USER=myuser
SFTP_PASSWORD=Encrypted 2be98afc86aa7f2e4cb79a369ce93bcc9
SFTP_HOST=myserver

Then use a URI such as:

sftp://${SFTP_USER}:{openvar}hop-pwd:SFTP_PASSWORD{closevar}@${SFTP_HOST}/path/to/file

After resolution, VFS receives a normal URI with a plaintext password in userinfo. Avoid logging resolved URIs at Detailed/Debug level if they may contain credentials.

Security notes

  • Anyone who can author pipelines and configure variable resolvers is already a trusted operator in Hop’s threat model.

  • Decrypting default Encrypted …​ values was always possible offline; this resolver only makes intentional use practical.

  • With AES2, decryption still requires HOP_AES_ENCODER_KEY on the runtime; without the key, resolution fails the same way as other password fields.

  • Prefer secrets managers when you can keep credentials out of Hop project files entirely.