I'm trying to use Crypto Support in AEM 6.5 but the hmac master keys are no longer stored under /etc/key.
It means I cannot just package the keys and transfer to target instance.
I can see the hmac and master keys are stored in launchpad/bundles/.. But everytime we change the instance we need to add these files to bundles folder and restart the bundle which all times may not be suited.
Need some thoughts on this.
Solved! Go to Solution.
Actually there is a way to update the encryption keys programmatically, without ssh access to AEM instances.
The approach: 1. Upload the key in AEM
for example, to /content/dam/crypto/hmac
2. Read the key bytes
Resource resource = resourceResolver.getResource("/content/dam/crypto/hmac");
byte[] key = IOUtils.toByteArray(resource .adaptTo(Asset.class).getOriginal().getStream());
3. Get the com.adobe.granite.crypto.file bundle
Bundle bundle = Arrays.stream(bundleContext.getBundles())
.filter(b -> b.getSymbolicName().equals("com.adobe.granite.crypto.file"))
.findFirst().orElse(null);
4. Get the 'hmac' file
File hmacFile = bundle.getDataFile("hmac");
5. Replace the key
OutputStream out = new FileOutputStream(hmacFile); out.write(key); out.close();
6. Repeat 2-6 for the master key 7. Refresh the Granite Crypto Bundle
8. Delete the hmac and master keys from DAM. You no longer need them.
See https://github.com/YegorKozlov/aem-fiddle-scripts/tree/master/encryption-keys
Views
Replies
Total Likes
That is the necessary approach though ...
21
. You can navigate to /system/console/bundles/com.adobe.granite.crypto.file
to see the Id./crx-quickstart/launchpad/felix/bundle<Id>/data
in the file system.hmac
and master
from the source instance to the target instances.com.adobe.granite.crypto
bundle or the entire AEM instance.This would be a day-0 exercise though.
Actually there is a way to update the encryption keys programmatically, without ssh access to AEM instances.
The approach: 1. Upload the key in AEM
for example, to /content/dam/crypto/hmac
2. Read the key bytes
Resource resource = resourceResolver.getResource("/content/dam/crypto/hmac");
byte[] key = IOUtils.toByteArray(resource .adaptTo(Asset.class).getOriginal().getStream());
3. Get the com.adobe.granite.crypto.file bundle
Bundle bundle = Arrays.stream(bundleContext.getBundles())
.filter(b -> b.getSymbolicName().equals("com.adobe.granite.crypto.file"))
.findFirst().orElse(null);
4. Get the 'hmac' file
File hmacFile = bundle.getDataFile("hmac");
5. Replace the key
OutputStream out = new FileOutputStream(hmacFile); out.write(key); out.close();
6. Repeat 2-6 for the master key 7. Refresh the Granite Crypto Bundle
8. Delete the hmac and master keys from DAM. You no longer need them.
See https://github.com/YegorKozlov/aem-fiddle-scripts/tree/master/encryption-keys
Views
Replies
Total Likes
Views
Likes
Replies