Friday, March 23, 2012

How to Use Crypto support in Adobe CQ / AEM

Use Case: You want to protect sensitive information in OSGI configuration

Solution: CQ > 5.5 (Granite platform) introduces a new crypto cupport service (com.adobe.granite.crypto.CryptoSupport) to protect sensitive information.

To store protected configuration, the Apache Felix Web Console should be used.

to unprotected data you can use CryptoSupport.unprotect(String) method.


public class Test {
private CryptoSupport cryptoSupport;
private void configure(Map config) {
final String protectedConfig = config.get("password");
final String plainTextConfig;
if (this.cryptoSupport.isProtected(protectedConfig)) {
plainTextConfig = this.cryptoSupport.unprotect(protectedConfig);
} else {
plainTextConfig = protectedConfig;

You can also use crypto support JSON call to get data. For example following curl command will return protected sting you can use

$ curl -uadmin:admin -F datum=password http://localhost:4502/system/console/crypto/.json
{"protected": "{4dd7095d321134b5e6737311fa82afaa335390762e43136ee8acb3897296865d}"}

Note: Crypt generated on one machine will not work on other machine as each one has different Key. In order to make key work across all instance, You can create package of /etc/key and install it in all instances and then restart "com.adobe.granite.crypto" bundle from system console.

If you want to deploy these key as part of code across all instances then first down load hmac and master binary from /etc/key

then create a node under /etc/key in your file system (Code repo)

<?xml version="1.0" encoding="UTF-8"?>
<jcr:root xmlns:sling="" xmlns:jcr="" xmlns:rep="internal"

under /etc/key add two files name "hmac.binary" and "master.binary" that you copied from system where secret was generated.

Deploy your code. Make sure to restart "com.adobe.granite.crypto" for very first time you upload these key. (You can also do this using CURL command)

Crypto Suport API:


  1. Hi ,
    I was trying to get a reference of cryptosupport service in one of the services that I created and it is appearing as unsatisfied

    Reference=cryptoSupport, Unsatisfied
    Service Name: com.adobe.granite.crypto.CryptoSupport
    Multiple: single
    Optional: mandatory
    Policy: static
    No Services bound

    Due to this my original service is also unsatisfied. I am using cq 5.6. I tried using crypto service reference in one of the other services that I had which is working fine and it is causing problems there as well. Is there something specific that needs to be done for this particular service to get its reference. Any tips to resolve this will be really appreciated.


    1. Hello Hitesh,

      Can you send me your code example to test ?


  2. Yogesh,

    Thanks for sharing..!!

    I am able to encrypt plain text using Felix console @ http://localhost:4502/system/console/crypto and able to decrypt using this.cryptoSupport.unprotect(protectedConfig);

    i need to use the same same cipher text to get the plain text on various env, but i am not able to update the key which crypto support is using to encrypt/Decrypt the password.

    Can you help in this aspect.

    1. Hello Tosheer,

      You mean same plain text is returning different cypher text in different environment ?


  3. This has changed in aem 6.3. see

  4. It offers a twenty-first century option in contrast to physical banking. Trades are made by means of "e wallet programming". cryptocurrency

  5. This article is an engaging abundance of enlightening information that is intriguing and elegantly composed. I praise your diligent work on this and thank you for this data. You have what it takes to get consideration.  passive income with cryptos

  6. Wow, What a Excellent post. I really found this to much informatics. It is what i was searching for.I would like to suggest you that please keep sharing such type of info.Thanks Earn Bitcoin

  7. very interesting post.this is my first time visit here.i found so mmany interesting stuff in your blog especially its discussion..thanks for the post! best cable company