How Encrypt-Decrypt Data in AEM , AEM Crypto Support ?

How to Use Crypto Support in AEM to Encrypt/Decrypt Data?

While working with AEM, The AEM dev-ops / developer team sometimes have a requirements to call third-party APIs/Services. Configurations related to these APIs/Services like username, passwords, client id/secrets, API keys are usually stored in a code repository in the form of OSGi configuration. This sensitive information should be stored encrypted rather than plain-text format.

This is possible through the OOTB AEM Crypto Support bundle. This bundle provides services for encrypting and decrypting the confidential/secured data through system-wide keys (hmac and master files).


What are the Features of Crypto Support?

  • Decryption happens at runtime.
  • No one can decrypt the data through the UI. There’s no UI to decrypt the encrypted data. So, the information remains secure.

What are hmac/master keys?

  • Encryption/decryption happens through keys (hmac and master files).
  • These keys get generated during the first startup of AEM instance.
  • In older versions of AEM (< 6.3), these files are stored under /etc/key but recent AEM versions have these files on the file system under crx-quickstart.
  • These keys are unique for every AEM instance.

How to encrypt data using Crypto Support?

In order to encrypt a string, follow the below steps:

1. Navigate to /system/console/crypto. The console looks like below:


2. Enter the plain-text string in the “Plain Text” field and click on “Protect”.

3. An alphanumeric value will get generated in “Protected Text” field.



4. Copy above alphanumeric value including curly brackets. For e.g. {435c89a1e94895d5a8447b856ec479aa24d8cdfc7a6dc51991202b62b065a1e6}

5. Go to code base and put the above value in your OSGi config like below


1. Clicking on “Protect” again, will generate a new alphanumeric value. So, just click once and copy the alphanumeric value and put it in the code base.

2. The encrypted value generated for the same plain-text string will differ from one AEM instance to another instance because keys are unique to each instance.  

You can learn more on How to sync keys between the environments in our blog -  SYNC HMAC KEY 


How to decrypt data using Crypto Support:


private CryptoSupport cryptoSupport;

public String getDecryptedValue(final String encryptedText) {

return cryptoSupport.isProtected(encryptedText)

? cryptoSupport.unprotect(encryptedText)

: encryptedText;



No Need to write decryption logic for "password Type" fields. In the Password Type fields, AEM will take care of decryption part by itself.

For encrypted data, which is stored in OSGi configuration, we don’t need to call “unprotect” method explicitly as you see above. AEM has a Configuration Plugin to decrypt OSGi configuration properties. This plugin automatically decrypts and returns the plain-text string.




  1. The work of publishing such a type of articles is commendable.Your article isn’t only useful but it is additionally really informative. Thanks for providing such a great information.ethical hackers for hire


Post a Comment

Popular Posts

AdobeDispatcherHacks ".statfile"

how to clear dispatcher cache in aem ?

How to Increase Apache Request Per Second ?

How Does S3 works with AEM ?

How to Sync HMAC in AEM ?

Configure/Decoding AEM AuditLogs

Dispatcher flush from AEM UI

AEM Security Headers

AEM ACL and how they are evaluated

How to prevent DDoS in Apache ?