RE: AES - RSA hibrid

Stefan Helzle — Mon, 17 Nov 2025 17:39:12 GMT

Gemini tells me this:

That's a great question that gets to the heart of how different encryption methods are often combined! 💡

The short answer is: No, you cannot directly decrypt an AES-encrypted text using an RSA private key.

Your proposed method actually describes a common security practice known as a hybrid encryption scheme, but it seems there might be a slight misunderstanding of which key encrypts what.

Here’s a breakdown of why this is the case and how the process typically works:

🔑 Understanding the Encryption Types

To clarify your goal, let's look at the two types of encryption you mentioned:

1. AES (Symmetric Encryption)

How it works: Uses a single, shared secret key for both encryption and decryption. This is called a Symmetricalgorithm.
Benefit: It's extremely fast and efficient for encrypting large amounts of data.
Drawback: The sender and receiver must securely exchange the secret key beforehand.

2. RSA (Asymmetric Encryption)

How it works: Uses a pair of keys—a public key for encryption (which can be shared widely) and a corresponding private key for decryption (which must be kept secret). This is called an Asymmetric or Public-Key algorithm.
Benefit: It solves the key-exchange problem; anyone can use the public key to send you data only you can read.
Drawback: It is much slower and less efficient for encrypting large amounts of data compared to AES.

🔄 The Hybrid Encryption Solution (How it Should Work)

Because AES is fast for data and RSA is secure for key exchange, they are combined in a hybrid scheme to get the benefits of both. This is precisely what happens in secure protocols like TLS/SSL.

Shutterstock

Here are the correct steps for what you are trying to achieve:

Generate the Session Key (Sender - Appian/Plugin):
- The Appian service first generates a random, single-use AES secret key (let's call it the Session Key).
Encrypt the Data (Sender - Appian/Plugin):
- The Appian service uses the Session Key to encrypt the actual text data via AES. This results in the encrypted text.
Encrypt the Session Key (Sender - Appian/Plugin):
- The Appian service takes the external service's RSA Public Key (stored in the Secure Credential Store) and uses it to encrypt the Session Key itself. This results in the encrypted key.
Send the Package:
- The Appian service sends two items to the external service:
  - The AES-encrypted text.
  - The RSA-encrypted Session Key.
Decrypt the Session Key (Receiver - External Service):
- The external service uses its RSA Private Key to decrypt the encrypted key. This recovers the original Session Key.
Decrypt the Data (Receiver - External Service):
- The external service uses the recovered Session Key to decrypt the AES-encrypted text, revealing the original message.

In summary of your original guess:

You are correct that you should use the external service's RSA Public Key for encryption.
You are incorrect in assuming this public key will directly encrypt the entire message in a way that allows the external service to use its Private Key to decrypt the AES-encrypted data. The RSA Public Key's job is to secure the Session Key, not the data itself.

You'll need a mechanism within the "Encryption Functions" plugin (or a custom process) that allows you to perform both the AES encryption of the data AND the RSA encryption of the AES key.