UiPath.Cryptography.Activities package doesn't provide a way to pass encryption key in a secure way

Hi All,

We have a requirement to encrypt sensitive data before storing those on queues and during processing, we fetch that data from orchestrator, decrypt and use it.

For this, we are storing our encryption key on orchestrator as type-credential.
Which is why, upon retrieving that key from orchestrator, we have to convert secure string to string before being able to use that key in encrypt/decrypt activities.

Hence, we have a violation of our governance rule (ST-SEC-009 i.e. secure string misusage) enabled at an enterprise level.

Is there a way we can pass encryption key as a secure text which would also comply to our security rule?

Please suggest.


1 Like

Hi ,

“Type Secure Text” activity can be used , with which convert to regular string can be ignored.

Hi Krishna,

Thank you for your response.

However, our requirement is not to use type activity but encrypt/decrypt activity which doesn’t provide a way to pass secure string currently.

Hence, I am looking to understand if there is any other way to achieve this which I am not aware of.


Hi @AndrewHall @loginerror @Paul_Boulescu,

Looping you in here to seek your inputs as this is also related to governance.

This activity usage is interferring with our governance rule ST-SEC-009.


@sonaliaggarwal47 : I am not sure why you need Secure string? In the Encryption activity - type your value and assign key to it. In your orchestrator, have the key value as an Asset. In the Decryption activity you can just pass the key and the encryption result to get your decrypted value. I can send you screenshots for reference if you need. Hope this helps.

Hi @sonaliaggarwal47,

Quite an interesting question. We have had the same challenge before. This request is tricky, here’s why:

UiPath Cryptography library uses a Symmetric-key encryption see docs
Encrypt Text.

This means that the encryption key you provide will need to be the same plain text string in the Dispatcher when you encrypt and in the Performer where you decrypt your sensitive information.

We have used this method on datatable columns (Forum Thread) containing sensitive values. Although slow on large datasets, it does work. That said, we did not have a strict policy on the use of secure string usage as you are facing.

What you are currently doing is the only feasible way of using the official UiPath Cryptography library. However the alternative you can try is make your own encrypt and decrypt activities in C# which takes the string to be encrypted or decrypted and a secure string ( encryption key) as inputs and outputs a encrypted or decrypted string. This way you do not need to worry about converting secure string (encryption key) to plain text and will thereby pass the governance requirement as well. Both conversion of secure string and encryption /decryption are performed without any data leak with the C# activity.

I still suggest a normal Symmetric-key encryption in your custom C# activity to keep things simple. Also, ensure you take a backup of the encryption key you use in the orchestrator. This is because if you have to change the key during production you will know what the value was, orchestrator do not show credentials (password) field and it is easy to forget encryption keys :slight_smile:

You also may try to look for other encryption / decryption libraries/packages in the market place but my advice is to not use them as they might also not adhere to organizational policy of using 3rd party packages and most often lack clear documentation.

Hope this helps you.

1 Like

You can see my response on a parallel thread Uipath.We.activities.HttpClient usage violates security rule ST-SEC-009 - #3 by AndrewHall


Hi @Pradeep.Robot,

Thank you for your response. Secure string was needed bcoz encryption key is being saved on orchestrator as a cred asset.


Thank you @jeevith for your response.

Indeed a wonderful addition!!

Yes, we have realized that only possible solution would be to have another version of these activities which can accept secure string.
we are in touch with uipath team for same. Challenge is we have this issue across multiple processes/teams and not just for this scenario. We are facing these in other cases as well like connect activity, http request activity headers, http request activity body etc. So instead of we getting this done internally for our use, it would be worth if this is implemented from uipath front itself so other users can also benefit from this :slight_smile:
I am sure if any organization would consider enabling governance at an enterprise level, this is gonna block them due to a conflict between studio activity configurations and governance rules functioning.

And yes thanks for your tip on backing up keys!!