Actually there is a way to update the encryption keys programmatically, without ssh access to AEM instances.
The approach: 1. Upload the key in AEM
for example, to /content/dam/crypto/hmac
2. Read the key bytes
Resource resource = resourceResolver.getResource("/content/dam/crypto/hmac");
byte[] key = IOUtils.toByteArray(resource .adaptTo(Asset.class).getOriginal().getStream());
3. Get the com.adobe.granite.crypto.file bundle
Bundle bundle = Arrays.stream(bundleContext.getBundles())
.filter(b -> b.getSymbolicName().equals("com.adobe.granite.crypto.file"))
.findFirst().orElse(null);
4. Get the 'hmac' file
File hmacFile = bundle.getDataFile("hmac");
5. Replace the key
OutputStream out = new FileOutputStream(hmacFile);
out.write(key);
out.close();
6. Repeat 2-6 for the master key 7. Refresh the Granite Crypto Bundle
- Navigate to http://<server>:<port>/system/console/bundles
- Locate Adobe Granite Crypto Support bundle (com.adobe.granite.crypto)
- Click Refresh
8. Delete the hmac and master keys from DAM. You no longer need them.
See https://github.com/YegorKozlov/aem-fiddle-scripts/tree/master/encryption-keys