The Encrypt Data action adds an extra layer of security and enables you to encrypt data in Architect flows by using your own encryption key. Use this action to encrypt PCI data before you call a data action to a back-end system.

This action uses the AWS Encryption SDK, which interacts with KMS. The SDK creates the data key, uses the key to encrypt the data, and then stores the encrypted data along with an encrypted copy of the data key in the encryption result buffer. Before you begin, make sure that you configure an AWS KMS symmetric key in Genesys Cloud. For more information, see Use an AWS KMS symmetric key for conversations.

  • This action fully supports single-region KMS keys and partially supports multi-region KMS keys. For multi-region keys, however, the region in which the data is decrypted must be the same region in which that data is encrypted.
  • The encryption services keep key configuration for approximately 31 days. You can decrypt data with a previously used key and not the current key for up to 31 days. However, the key must still exist in KMS and the currently configured key must reside in the same account.

This action is available in the Customer Secured Data menu in the task editor toolbox. Use this action in all flow types, excluding bot flows.

Action Description and use


Type a meaningful name for the action. The label you enter here becomes the action’s name displayed in the task sequence.

Data to Encrypt

To enter the JSON value that you want to encrypt to a string, perform one of these steps:

  • Click Click to add JSON literal value and set the JSON literal value directly.
  • Click the Expression Modes button , click Expression , and enter an expression that represents the data to encrypt.
  • Click the Expression Modes button , click Expression , click Large expression editor  and in the Edit ‘Data to Encrypt’ expression editor, enter the value to encrypt.

If you supply a NOT_SET JSON value to the action at runtime, the execution takes the Failure output with an error reason string value of NoDataSupplied. If the encrypted data is over 32,000 characters in length, execution takes the Failure output with an error reason string value of MaximumDataSizeExceeded.

Encrypted Data

Enter a variable name to hold the encrypted string value from the JSON value that you supply.

Failure Outputs

Failure outputs include these fields:

  • errorType: A nonempty String that contains the type or category of the error. The allowable values are:
    • CustomerKeyNotConfigured
    • CustomerKeyNotFound
    • GeneralError
    • MaximumDataSizeExceeded
    • NoDataSupplied
  • errorMessage: A non-localized error message. The String may be empty or NOT_SET.

Define success, failure, and output paths

Name Description

This path indicates that the action successfully communicated with its external endpoint and received a result. Drag the appropriate action below the Success path that follows the route you want the interaction to take. 

Note: A completed Success path indicates that no errors were encountered during the process. It is not a measure of whether the data received is the intended result or functionality.


This path indicates that an error occurred while running the action or a problem occurred while processing the results from a data action. Drag the appropriate action below the Failure path and direct the route you want the interaction to take.  

Note: If the network experiences connectivity issues, the action automatically takes this failure path.