Friday, March 23, 2012

How to Use Crypto support in Adobe CQ / AEM

Use Case: You want to protect sensitive information in OSGI configuration

Solution: CQ > 5.5 (Granite platform) introduces a new crypto cupport service (com.adobe.granite.crypto.CryptoSupport) to protect sensitive information.

To store protected configuration, the Apache Felix Web Console should be used.

to unprotected data you can use CryptoSupport.unprotect(String) method.


public class Test {
private CryptoSupport cryptoSupport;
private void configure(Map config) {
final String protectedConfig = config.get("password");
final String plainTextConfig;
if (this.cryptoSupport.isProtected(protectedConfig)) {
plainTextConfig = this.cryptoSupport.unprotect(protectedConfig);
} else {
plainTextConfig = protectedConfig;

You can also use crypto support JSON call to get data. For example following curl command will return protected sting you can use

$ curl -uadmin:admin -F datum=password http://localhost:4502/system/console/crypto/.json
{"protected": "{4dd7095d321134b5e6737311fa82afaa335390762e43136ee8acb3897296865d}"}

Note: Crypt generated on one machine will not work on other machine as each one has different Key. In order to make key work across all instance, You can create package of /etc/key and install it in all instances and then restart "com.adobe.granite.crypto" bundle from system console.

If you want to deploy these key as part of code across all instances then first down load hmac and master binary from /etc/key

then create a node under /etc/key in your file system (Code repo)

<?xml version="1.0" encoding="UTF-8"?>
<jcr:root xmlns:sling="" xmlns:jcr="" xmlns:rep="internal"

under /etc/key add two files name "hmac.binary" and "master.binary" that you copied from system where secret was generated.

Deploy your code. Make sure to restart "com.adobe.granite.crypto" for very first time you upload these key. (You can also do this using CURL command)

Crypto Suport API:


  1. Hi ,
    I was trying to get a reference of cryptosupport service in one of the services that I created and it is appearing as unsatisfied

    Reference=cryptoSupport, Unsatisfied
    Service Name: com.adobe.granite.crypto.CryptoSupport
    Multiple: single
    Optional: mandatory
    Policy: static
    No Services bound

    Due to this my original service is also unsatisfied. I am using cq 5.6. I tried using crypto service reference in one of the other services that I had which is working fine and it is causing problems there as well. Is there something specific that needs to be done for this particular service to get its reference. Any tips to resolve this will be really appreciated.


    1. Hello Hitesh,

      Can you send me your code example to test ?


  2. Yogesh,

    Thanks for sharing..!!

    I am able to encrypt plain text using Felix console @ http://localhost:4502/system/console/crypto and able to decrypt using this.cryptoSupport.unprotect(protectedConfig);

    i need to use the same same cipher text to get the plain text on various env, but i am not able to update the key which crypto support is using to encrypt/Decrypt the password.

    Can you help in this aspect.

    1. Hello Tosheer,

      You mean same plain text is returning different cypher text in different environment ?


  3. This has changed in aem 6.3. see

  4. This comment has been removed by the author.

  5. Crypto trading can be profitable when the trader manages to keep an eye on the market round the clock. It is however something that can be challenging to do, but luckily there are crypto signal services that can be used to offer the needed assistance with the trading like this ico pulse website you can check every ico rating and other things easily on ico pulse site.

  6. At this point there is little cooperation, trust, or understanding between the fiat money world and the CC world.

  7. Interesting post. I Have Been wondering about this issue. so thanks for posting. Pretty cool post.It 's really very nice and Useful post.Thanks free tokens

  8. It is fitting to round these structures out of the program region and be mindful so as to fill it disconnected since it keeps away from sudden loss of information by tapping on any button on the program.