ColdFusion encryption – Illegal key size or default parameters
We came across the “Illegal key size or default parameters” issue after switching from an older version of ColdFusion to the freshly installed ColdFusion 2016. It was strange. The encryption was working fine on the old server and suddenly stopped working on the new one.
It surfaced that this is not really caused by the “server upgrade” but by the
“Java downgrade” but, first things first…
Surprise, surprise…
Once we tried to encrypt some data on the new server, we got this error:
The error text reads (original spelling):
The key specified is not a valid key for this encryption: Illegal key size or default parameters. If encryption key size is greater than 128 bits make sure to insall JCE Unlimited Strength Policy Files. Use the generateSecretKey method to generate a valid key for this operation.
We are using at least 256-bit keys. As I wrote before, it was working fine on the old server. So, what was the source of this issue?
It surfaced that our old server ColdFusion instance was using Java 8 version 251. The initial ColdFusion 2016 installation however is using an outdated Java 8 version 112. There are two issues here – the first is that the outdated Java can expose you to the security risks, the second is that it is not easy to configure Java 8 in version 112 to provide Unlimited Strength to the encryption process.
Java update solution
As the solution to this issue, we decided to update the Java version on the server. In order to do this, you should download the lastest Java 8 from Oracle: https://www.oracle.com/java/technologies/javase-jre8-downloads.html and install it in the separate folder on your machine.
Once installed, you have to adjust the path to the Java in your ColdFusion configuration. You can adjust the path to Java in your ColdFusion administrator. I prefer to do this directly in the configuration file. The file you are looking for is located here:
[ColdFusion installation directory]/cfusion/bin/jvm.config
In the file you will find the java.home setting which will look most likely like this:
java.home=C:\\ColdFusion2016\\jre
Now you have to adjust it to point to the place you installed your new Java version. In my case it is:
java.home=C:\\Java\\jre1.8.0_251
As an additional step, you have to restart your ColdFusion process. Without it, your ColdFusion server will run using the old Java till the next restart.
Still not working?
In most cases, the installation of the new Java version will be enough. I notice though, that from time to time the freshly installed Java is still configured to limit the encryption key length.
In order to adjust this, you have to change the contents of the configuration file which is located here:
[Java installation directory]\lib\security\java.security
In the file you will find the commented out line:
#crypto.policy=unlimited
Now you can enable unlimited encryption key size by uncommenting that line (remove the #):
#crypto.policy=unlimited
As the last step you should restart ColdFusion which will also restart the underlying Java engine. This should do the trick.