Adobe Experience Manager Sites & More

Kamal_Kishor · 9/4/24

AEM version 6.5 (SP 15)

We have some config values of type AttributeType.PASSWORD, values are encrypted before putting into config file.

Do we still have to decrypt them before using them in our Service? As per this documentation AEM will do it automatically, I wanted to confirm (without checking myself) - https://github.com/AdobeDocs/experience-manager-65.en/blob/main/help/sites-administering/encryption-...

It says

AEM now provides a Configuration Plugin to decrypt configuration properties. This AEM Plugin will automatically decrypt and retrieve the clear text properties.

This is the way to decrypt them (if we have to) -

@reference
CryptoSupport cryptosupport;
Public getDecryptedKey(int encryptedKey)
{
if(this.cryptoSupport.isProtected(key){
this.cryptoSupport.unprotect(key)
}}

Saravanan_Dharmaraj · 9/4/24

@Kamal_Kishor For encrypted data, which is stored in OSGi configuration, we don’t need to call “unprotect” method explicitly. Thats what i remember using it that way.

https://hashouttech.com/blog/How-to-encrypt-Plain-text-and-decrypt-Protected-text-in-Adobe-Experienc...

View solution in original post

Saravanan_Dharmaraj · 9/4/24

@Kamal_Kishor For encrypted data, which is stored in OSGi configuration, we don’t need to call “unprotect” method explicitly. Thats what i remember using it that way.

https://hashouttech.com/blog/How-to-encrypt-Plain-text-and-decrypt-Protected-text-in-Adobe-Experienc...

Kamal_Kishor · 9/4/24

thanks @Saravanan_Dharmaraj - this clarifies the decryption need for the config.

Additionally, what is the ideal way to have these configs consolidated to be used on different environments as encrypted value vary for each environment. Since for our use case, we have the same value (For eg, Pass123) for all envs, if we have this just in 'config' folder (as currently), this wouldn't work properly.
We would end up creating multiple configs for each run-mode to provide encrypted value per environment, which would be slightly difficult to maintain.

thank you.

arunpatidar · 9/4/24

Hi @Kamal_Kishor
There usual way to get encrypted value directly from the AEM and put it in env based osgi config.

Another way is to use external secret manager: https://www.linkedin.com/posts/theaemmaven_enhance-security-in-aem-with-azure-key-vault-activity-723...

Arun Patidar

Kamal_Kishor · 9/4/24

@arunpatidar : Every environment gives a different encrypted value for same secret-key. I was hoping if there was a way to use a similar encryption mechanism somehow so that we can avoid creating a config for every environment.

thank you.

arunpatidar · 9/5/24

Hi @Kamal_Kishor
Yes, this is the case. thats why we need to have copy of the config in every env runmode.

Adobe Experience Manager Sites & More

Is it still required to decrypt the osgi configuration properties?

Arun Patidar

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe