Using the Decrypt Files Node

The Decrypt Files node decrypts GPG/PGP-encrypted files as part of your Multi FileFeed pipeline. It retrieves decryption keys at runtime from your organization's configured secrets manager — AWS Secrets Manager or Azure Key Vault — so that sensitive key material never needs to be stored in OneSchema.

Prerequisites

Before configuring the Decrypt Files node, you need:

• A secrets manager connection configured on the Settings → Connections page with at least one managed secret. See:
  • Configuring an AWS Secrets Manager Connection for AWS
  • Configuring an Azure Key Vault Connection for Azure
• A Multi FileFeed with encrypted files arriving at a source node
• Admin or Developer role in your OneSchema organization

Step 1 — Add the Decrypt Files node

1. Open your Multi FileFeed and navigate to the Transform Builder (canvas view).

2. Click the + icon on a node to open the transforms menu. Under File processing, select Decrypt file.

3. Connect the node to the upstream node that produces the encrypted files by dragging an edge from the preceding node to the Decrypt Files node.

Step 2 — Configure the node

In the Decrypt Files node configuration panel:

1. Select encrypted files to decrypt — Choose the specific files from upstream nodes, or select All GPG files to automatically decrypt every file with a GPG/PGP extension.

2. Secrets manager account — Select your AWS Secrets Manager or Azure Key Vault connection from the dropdown.

3. Managed secret — Select the specific secret (PGP private key or symmetric passphrase) to use for decryption.

Step 3 — Run the workflow

Run the workflow to verify that decryption succeeds. The Decrypt Files node will:

• Retrieve the managed secret from your secrets manager at runtime
• Auto-detect whether the secret is a PGP private key or a symmetric passphrase
• Decrypt each input file using GPG
• Strip encrypted file extensions (.gpg, .pgp, .asc, .enc) from output filenames
• Pass the decrypted files to downstream nodes

Supported decryption types

The node automatically detects the encryption type from the file header — no manual configuration is needed.

Troubleshooting

"Decrypt file node is not configured: no managed secret selected"

The node has not been configured with a managed secret. Open the node in the transform builder and select a secrets manager account and managed secret.

"The configured secret could not be found"

The managed secret reference was deleted, misconfigured, or you are not authorized to access it. Re-create the managed secret on the Connections page and update the node configuration.

"Failed to retrieve decryption secret"

OneSchema could not fetch the secret from your secrets manager. Use the Test connection feature on the Settings → Connections page to diagnose the issue. Common causes:

• The IAM role trust policy was modified (AWS) or client secret expired (Azure)
• The secret was deleted or moved to a different region/vault
• Credentials expired (transient — the system retries automatically)

"Managed secret is stored with a wrapper"

The secret value is wrapped in JSON or surrounded by quotes. Re-store the secret as the raw value:

• PGP key: The full -----BEGIN PGP PRIVATE KEY BLOCK----- export, including line breaks
• Passphrase: The plain string with no wrapping

See the storing secrets section in Configuring an AWS Secrets Manager Connection or Configuring an Azure Key Vault Connection for details.

GPG decryption fails silently

Ensure the encrypted file was produced with the matching public key (for PGP) or the same passphrase (for symmetric encryption). The node passes the file to GPG, which auto-detects the encryption type from the file header.

Permissions