Sharing Crypto Keys in AEM 6.3

Adobe Experience Manager | AEM/CQ | Apache Sling

Sharing Crypto Keys in AEM 6.3

In order to read data on one instance that was secured on another, you need to sync the Crypto keys across all of your instances. Prior to AEM 6.3, you would package up /etc/key and share it between your author and publish servers (See: How to Use Crypto support in Adobe CQ / AEM). However, in AEM 6.3 the Crypto keys were moved out of the JCR to make them more secure in case someone gains access to your CRXDE. Side note, ensure the public can't access CRXDE by going through the AEM 6.3 Security Checklist.

In order to sync the Crypto keys between servers in AEM 6.3:

  1. Find the bundle Id for com.adobe.granite.crypto.file, for example, 21. You can navigate to /system/console/bundles/com.adobe.granite.crypto.file to see the Id.
  2. Navigate to /crx-quickstart/launchpad/felix/bundle<Id>/data in the file system.
  3. Copy the two files: hmac and master from the source instance to the target instances.
  4. Restart the target com.adobe.granite.crypto bundle or the entire AEM instance.
There is a way to make AEM 6.3 read the Crypto keys from the JCR like you're currently familiar with, however, this is not recommended if you can avoid it. Start AEM 6.3 with the -Dcom.adobe.granite.crypto.file.disable=true flag. Note that this must happen on the first startup of the instance. The instance will not change behavior once AEM has been started with or without the flag.


Miguel | August 28, 2017 at 03:48 PM | Reply

Thanks Nate, this was really helpful! We were having some issues with Oauth and the user log in/registration process in general, but this did the trick.

Rohit Jain | October 26, 2017 at 05:00 PM | Reply

Hi Nate, one observation - for 6.3 instances that were upgraded in place from earlier 6.x versions, we still need to go the old way of syncing via package manager. The upgrade migration steps do not do the following "in AEM 6.3 the Crypto keys were moved out of the JCR ". Thanks for posting!

Federico | December 13, 2017 at 06:30 AM | Reply

This is brilliant, thank you. Official documentation on this feature: For google searchers: if using the old method of key migration the error is: Caused by: com.rsa.jsafe.JSAFE_PaddingException: Invalid padding

Leave a Comment