Expand my Community achievements bar.

SOLVED

Is it still required to decrypt the osgi configuration properties?

Avatar

Community Advisor

AEM version 6.5 (SP 15)

We have some config values of type AttributeType.PASSWORD, values are encrypted before putting into config file.

Do we still have to decrypt them before using them in our Service? As per this documentation AEM will do it automatically, I wanted to confirm (without checking myself) - https://github.com/AdobeDocs/experience-manager-65.en/blob/main/help/sites-administering/encryption-...

It says

AEM now provides a Configuration Plugin to decrypt configuration properties. This AEM Plugin will automatically decrypt and retrieve the clear text properties.

This is the way to decrypt them (if we have to) -

@reference
CryptoSupport cryptosupport;
Public getDecryptedKey(int encryptedKey)
{
if(this.cryptoSupport.isProtected(key){
this.cryptoSupport.unprotect(key)
}}

 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

@Kamal_Kishor For encrypted data, which is stored in OSGi configuration, we don’t need to call “unprotect” method explicitly. Thats what i remember using it that way.

 

https://hashouttech.com/blog/How-to-encrypt-Plain-text-and-decrypt-Protected-text-in-Adobe-Experienc... 

View solution in original post

5 Replies

Avatar

Correct answer by
Community Advisor

@Kamal_Kishor For encrypted data, which is stored in OSGi configuration, we don’t need to call “unprotect” method explicitly. Thats what i remember using it that way.

 

https://hashouttech.com/blog/How-to-encrypt-Plain-text-and-decrypt-Protected-text-in-Adobe-Experienc... 

Avatar

Community Advisor

thanks @Saravanan_Dharmaraj - this clarifies the decryption need for the config.

Additionally, what is the ideal way to have these configs consolidated to be used on different environments as encrypted value vary for each environment. Since for our use case, we have the same value (For eg, Pass123) for all envs, if we have this just in 'config' folder (as currently), this wouldn't work properly.
We would end up creating multiple configs for each run-mode to provide encrypted value per environment, which would be slightly difficult to maintain.

 

thank you.

Avatar

Community Advisor

Hi @Kamal_Kishor 
There usual way to get encrypted value directly from the AEM and put it in env based osgi config.

 

Another way is to use external secret manager: https://www.linkedin.com/posts/theaemmaven_enhance-security-in-aem-with-azure-key-vault-activity-723... 



Arun Patidar

Avatar

Community Advisor

 

@arunpatidar : Every environment gives a different encrypted value for same secret-key. I was hoping if there was a way to use a similar encryption mechanism somehow so that we can avoid creating a config for every environment.


thank you.

 

Avatar

Community Advisor

Hi @Kamal_Kishor 
Yes, this is the case. thats why we need to have copy of the config in every env runmode.



Arun Patidar