{"id":53982,"date":"2021-09-21T22:47:24","date_gmt":"2021-09-21T17:17:24","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=53982"},"modified":"2024-06-10T15:40:45","modified_gmt":"2024-06-10T10:10:45","slug":"aem-encryption-service-what-how-why","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/aem-encryption-service-what-how-why\/","title":{"rendered":"AEM Encryption Service: What, How & Why"},"content":{"rendered":"

Adobe Experience Manager (AEM) provides an encryption service which helps to encrypt text and decrypt the protected text. The support is available in AEM with the bundle name <\/span>Adobe Granite Crypto Support<\/strong> (<\/span>com.adobe.granite.crypto).<\/span><\/i><\/p>\n

It can be used to:<\/span><\/p>\n

    \n
  1. Encrypt properties configured in OSGI configuration service<\/span><\/li>\n
  2. Meet the need to protect\/unprotect text or binary data in the backend logic<\/span><\/li>\n<\/ol>\n

    Protecting OSGI Configuration<\/b><\/h4>\n

    First the question arises why do we need to protect OSGI configuration when not everyone can access the admin config console?<\/span><\/p>\n

    The answer is simple, OSGI configuration may contain passwords or any sensitive information and at the end when the configuration gets saved, they are saved in the repository and can be accessed from <\/span>\/apps<\/span><\/i>. Anyone with access to <\/span>\/apps<\/span><\/i> folder can read them from <\/span>crx\/de <\/span><\/i>console. Keeping them in encrypted form helps, as even if the configuration file is accessible from <\/span>crx\/de<\/span><\/i>, the property can not be decrypted manually.<\/span><\/p>\n

    In order to protect the OSGI configuration, we need to follow these steps:<\/span><\/p>\n

      \n
    1. AEM plugins provide a support in felix consoles to decrypt the plain property text, \u201cCrypto support\u201d option is available in under \u201cMain\u201d option in felix console menu or directly access it using url <\/span>http:\/\/<host>:<port>\/system\/console\/crypto<\/span><\/i>\"\"\"\"<\/li>\n
    2. Paste the property value in a plain text field and click on the \u201cProtect\u201d button to get the Protected text<\/span><\/li>\n
    3. Use this protected property in any of the OSGI configurations using the configuration manager console or even maintain it in the code base<\/span><\/li>\n<\/ol>\n

      Unprotect OSGI Configuration<\/h4>\n

      There is no need to explicitly decrypt these protected configurations in java configuration service. AEM out of the box (OOTB) returns the properties in java by decrypting them beforehand.<\/span><\/p>\n

      Protect Plain Text in Java<\/b><\/h4>\n

      We can use AEM\u2019s crypto API in our backend logic to protect plain text and binary data in backend logics. We need to use <\/span>CryptoSupport<\/span><\/a> Service.<\/span><\/p>\n

      Below is the sample code to protect data:<\/span><\/p>\n

      \"\"<\/p>\n

      Unprotect Protected Text in Java<\/b><\/h4>\n

      We can unprotect protected text and binary data in backend logics using <\/span>CryptoSupport<\/span><\/a> Service.<\/span><\/p>\n

      Below is the sample code to unprotect data:<\/span><\/p>\n

      \"\"<\/p>\n

      Using Crypto Support for Multiple Publisher Environment Setup<\/b><\/h4>\n

      In order to support cryptography in multiple publisher AEM instances setup, we need to have the same HMAC key across all instances. This setup is must if:<\/span><\/p>\n

        \n
      1. We maintain protected configuration in the code base that is deployed on all publishers.<\/span><\/li>\n
      2. If text protected in one instance reaches another instance for decryption in backend logic.<\/span><\/li>\n
      3. If we enable <\/span>Encapsulated Token Support<\/span><\/a> in AEM. In this, we will have to sync keys of author instances also with all publisher instances.<\/span><\/li>\n<\/ol>\n

        If we do not sync the HMAC keys over all instances, we are going to get <\/span>Crypto Exception com.adobe.granite.crypto.CryptoException<\/b> exception upon decryption.<\/span><\/p>\n

        Steps to sync keys across all instances for <\/span>AEM 6.3 or above<\/b>:<\/span><\/p>\n

          \n
        1. Go to <\/span>\/system\/console\/bundles<\/span><\/i> and search for a bundle with name \u201c<\/span>Adobe Granite Crypto Bundle Key Provider\u201d i.e \u201dcom.adobe.granite.crypto.file<\/span><\/a>\u201d and note down the bundle number. In below screenshot, bundle number is 20.
          \n<\/span><\/span>\"\"\u00a0<\/span><\/li>\n
        2. Go to repository in filesystem and go to folder <\/span><repository-folder>\/crx-quickstart\/launchpad\/felix\/<\/span><\/i>bundle20<\/i><\/b> and here the bundle folder is bundle20 because the number for the <\/span>com.adobe.granite.crypto.file<\/span><\/a> is 20 in previous step.<\/span><\/li>\n
        3. Go to data folder and copy two files present i.e <\/span>hmac<\/b> and <\/span>master<\/b><\/li>\n
        4. Now follow the same steps for all the other instances and replace the two files with copied files.<\/span><\/li>\n
        5. Once done refresh <\/span>Adobe Granite Crypto Support bundle i.e <\/span>com.adobe.granite.crypto<\/span><\/i><\/a>.<\/span><\/li>\n<\/ol>\n

          Steps to sync keys across all instances for <\/span>AEM 6.2 or below:<\/b><\/p>\n

            \n
          1. Create package of path \/etc\/key from one of the instance using package manager<\/span><\/li>\n
          2. Install the package created in other instances<\/span><\/li>\n
          3. Restart all the instances where package has been installed<\/span><\/li>\n<\/ol>\n

            We hope this article helps you.<\/span><\/p>\n

            <\/div>","protected":false},"excerpt":{"rendered":"

            Adobe Experience Manager (AEM) provides an encryption service which helps to encrypt text and decrypt the protected text. The support is available in AEM with the bundle name Adobe Granite Crypto Support (com.adobe.granite.crypto). It can be used to: Encrypt properties configured in OSGI configuration service Meet the need to protect\/unprotect text or binary data in […]<\/p>\n","protected":false},"author":994,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":374},"categories":[5868,446,1],"tags":[4847,4921,4920],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/53982"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/994"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=53982"}],"version-history":[{"count":7,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/53982\/revisions"}],"predecessor-version":[{"id":54437,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/53982\/revisions\/54437"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=53982"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=53982"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=53982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}