Back to the blog

How to encrypt Plain text and decrypt Protected text in Adobe Experience Manager (AEM)?

author image

Akshay Rathnavas

Technology | April 01, 2021

hero image

Encryption and Decryption of Plain Text in Adobe Experience Manager (AEM)

Long gone are the days where sensitive texts are sent and received in plaintexts, being susceptible to every form of attack by even a novice. How can we implement a simple encryption of texts in AEM? This is using the inbuilt cryptosupport.

What is AEM’s Crypto Support?

Adobe Experience Manager ships with an OOTB AEM Crypto Support bundle. The console for this can be accessed at /system/console/crypto as seen below.

AEM’s Crypto Support

When should you use crypto support?

There are numerous use cases to use cryptosupport, but you can follow these simple steps.

Imagine one has to use a third-party API that uses an access key to communicate from AEM. This access key is sensitive information and should not be revealed to anyone. So, the maintainer of the application can create an encrypted key and provide it to the developer, who then places it in the codebase safely, or paste into an OSGI Configuration for the code to consume.

How to encrypt plain text in Adobe Experience Manager (AEM)

This is a simple process.

  1. Go to https: //hostname:port/system/console/crypto
  2. In the “Plain Text” field (as seen in Figure 1), enter the text to be encrypted.
  3. Click on “Protect”.
  4. The Encrypted Text will be generated in the “Protected Text” field.
  5. Copy it and use it where required.

How to decrypt protected text in Adobe Experience Manager (AEM)

Decrypting the text can only be done through the codebase.

  1. Inject the CryptoSupport Class.
  2. Use the unprotect method to get the original text back.
private CryptoSupport cryptoSupport;

public String getDecryptedValue(final String encryptedText) {
>       if(cryptoSupport.isProtected(encryptedText)) {
>           return cryptoSupport.unprotect(encryptedText)
>       } else {
      return encryptedText;
>         }

Advantages of using crypto support in Adobe Experience Manager (AEM)

  1. There is no possible way to get the password decrypted in the UI.
  2. The password is always decrypted at runtime making it secure.
  3. Each AEM Instance has its own encryption keys set at startup.

See how Adobe Experience Manager can revolutionize your customer experience

Crypto Sharing in Adobe Experience Manager (AEM) 6.5

Since I mentioned that each instance has its own keys generated at startup, there might be a possibility that you might need to sync up these for your different instances.

There are two key files used for encryption. They are hmac and master file.

  1. Prior to AEM 6.5 these are located at: “/etc/key”

Crypto Sharing in Adobe Experience Manager (AEM) 6.5

  1. From AEM 6.5:

    • Get the bundle ID from OSGI for /system/console/bundles/com.adobe.granite.crypto.file

    Crypto Sharing in Adobe Experience Manager (AEM) 6.5

    • In the respective file system go to /crx-quickstart/launchpad/felix/bundle<-ID->/data
    • Copy the two files: hmac and master from the source instance to the target instances. Restart the AEM Instance or the com.adobe.granite.crypto bundle.

Note: For encrypted data, which is stored in OSGi configuration, we don’t need to call “unprotect” method explicitly as you see in one of the above sections. AEM has a Configuration Plugin to decrypt OSGi configuration properties. This plugin automatically decrypts and returns the plain-text string.

Creating a Tool in Adobe Experience Manager
How to implement OAuth SSO in Angular & Flask Application?
How to Upgrade Adobe Experience Manager to Version 6.5?

Browse all categories