Skip to main content

Encr_EncryptAES (function reference)

By April 20, 2023April 25th, 2023Online Help, Troi Encryptor Plug-in
Troi Encryptor Plug-in for FileMaker Pro


Encrypts text using the AES algorithm and the password.

SyntaxFunction badge

Encr_EncryptAES ( switches ; password ; dataToEncrypt )


switches modifies the behavior of the function
password the password to use
dataToEncrypt the text (or container data) to encrypt


Switches can be one of:

-KeySize=256 (default) create a key for AES-256 encryption
-KeySize=128 create a key for AES-128 encryption

You can add one or more of these switches to retrieve extra information:

-AddIntializationVectorInfo add the used Initialization Vector at the end of the result (need not be kept secret)
-AddSaltInfo add the used Salt at the end of the result (need not be kept secret)
-AddKeyInfo add the derived Key (derived from the password) at the end of the result (keep secret!)
-OpenSSLCompatible format as OpenSSL compatible result
-HashIterationCount=n specify the hash iteration count used to generate the key and initialization vector (for OpenSSL)

Returned Result

Data type returned



the encrypted text or an error code.

Returned error codes can be:

$$-4244 no password was given

Originated in

Troi Encryptor Plug-in 1.2


FileMaker Pro 16 to FileMaker Pro 2023


NOTE The Encr_EncryptAES function was called Encr_EncryptRijndaelAES in older versions of the plug-in.

– Be sure to remember the password (case sensitive!): without it you can not retrieve the original data.
– It’s good practice to use a password that is at least 10 characters long. You can use higher Unicode characters!
– Don’t store the password.
– Use a global for the password field.
– The encrypted text is different every time you encrypt the same text. This is not a bug, but a security feature!

Technical details:

By default (or if you use the switch -KeySize=256) the text is encrypted using AES-256 bit CBC with a 32 byte key and 16 byte IV (derived via PBKDF2) and 20 byte salt. Padding according to PKCS7. Result is Base64 encoded.

If you use the switch -KeySize=128 the text is encrypted using AES-128 bit CBC with a 16 byte key and IV (derived via PBKDF2) and 20 byte salt. Padding according to PKCS7. Result is Base64 encoded.

More technical details can be found at the beginning of the user guide.

About Unicode and Passwords:
Passwords are always UTF8 encoded before the key is derived. This means that all Unicode characters can be used for the password.
For example:
“japan_” becomes “japan_0xE698BEE7A4BA” as password
“españa” becomes “espa0xC3B1a” as password

Text is also UTF8 encoded before encryption.

– You can also encrypt any type of container field, even containers that store a reference only. Note that for those containers only the reference is encrypted, not the original. This applies for all reference pictures and QuickTime movies.

Container data consists of several streams. Each stream is converted to base64 and this text is then encrypted. The text is formatted like this:

<TROI_BINARY_CONTAINER10><number of streams>
<- ->
<length stream1><stream1 data>
<- ->
<length stream2><stream2 data>
<- ->
<length stream3><stream3 data>


About OpenSSL compatibility (introduced with Troi Encryptor 5.0):

When you use the -OpenSSLCompatible switch, the encrypted text is formatted as OpenSSL compatible (Base64) text.
This can be decrypted with the OpenSSL functions of PHP 7. You can specify the hash iteration count used to generate the key and initialization vector with the optional -HashIterationCount=n switch. Use for example -HashIterationCount=10000.
Note that the default for -OpenSSLCompatible is 1.
You can also encrypt for the openssl command in a command line interface (for example the macOS terminal). Use the switch -OpenSSLCompatible, but don’t use the -HashIterationCount=n switch as the openssl command expects the (default) iteration count of 1.

See the OpenSSL.fmp12 example in the download for more detailed information.


Encr_EncryptAES ( "-Unused" ; "mypassword" ; "mySecretTexts" )

This will give this result (or similar, as the encrypted text is different every time):


Example 2

In a database you have defined a text field named “patientData” which contains illness data. Then define a calculation field:

encryptedDataCalc    calculation   Unstored  = Encr_EncryptAES ( "-Unused" ; 
							gPasswordField ; patientData )

the calculation field will contain the encrypted text.

Example 3

Set Field [ secretField ;   
                 Encr_EncryptAES ( "-AddSaltInfo" ;  gEncryptionPassword ; textField ) ]

this will result in:



The last part contains the so called Salt, which was used to change the encryption result. NOTE: Normally it is not necessary to know about Salt, IV’s and derived Keys to use it. If you want to decrypt the data on a non-FileMaker system it might be useful.

Used in example file


Related functionsFunction badge


Related topics

Troi Encryptor Plug-in online help (overview)

Online Help Page for Troi Encryptor Plug-in for 16 to 2023 –> Encr_EncryptAES (encrp4275) 2023-0425 15:53:25