In order to read data on one instance that was secured on another, you need to sync the Crypto keys across all of your instances. Prior to AEM 6.3, you would package up
/etc/key and share it between your author and publish servers (See:
How to Use Crypto support in Adobe CQ / AEM). However, in AEM 6.3 the Crypto keys were moved out of the JCR to make them more secure in case someone gains access to your CRXDE. Side note, ensure the public can't access CRXDE by going through the
AEM 6.3 Security Checklist.
In order to sync the Crypto keys between servers in AEM 6.3:
- Find the bundle Id for com.adobe.granite.crypto.file, for example,
21. You can navigate to /system/console/bundles/com.adobe.granite.crypto.file to see the Id.
- Navigate to
/crx-quickstart/launchpad/felix/bundle<Id>/data in the file system.
- Copy the two files:
hmac and master from the source instance to the target instances.
- Restart the target
com.adobe.granite.crypto bundle or the entire AEM instance.
There is a way to make AEM 6.3 read the Crypto keys from the JCR like you're currently familiar with, however, this is not recommended if you can avoid it. Start AEM 6.3 with the
-Dcom.adobe.granite.crypto.file.disable=true flag. Note that this must happen on the
first startup of the instance. The instance will not change behavior once AEM has been started with or without the flag.