Mosaic products documentation: Concepts, API Reference, Technical articles, How-to, Downloads and tools

Credentials Protection

Every time credentials (secrets) are passed to the Encoding API, they can (and should) be passed in an encrypted form.

You pass various credentials to the Encoding API, including those for your input and output storage, message publishers, DRM. In all these cases you want to grant access to your resource only the Encoding Service and to avoid any man-in-the-middle to be able to see your credentials. Specifically, you don’t want to store your credentials as plain text in configuration files.

You protect the credentials by encrypting them with an asymmetric algorithm using an Axinom Encoding public key as the encryption key. Then you signalize to Axinom Encoding that your credentials are encrypted.

Credentials protection can be used in the following cases:

Section Activation Encrypted Elements

Any Storage Provider

"CredentialsProtection": "Encrypted"


Any Message Publisher

"CredentialsProtection": "Encrypted"



"KeysProtection": "Encrypted"

ManagementKey, KeySeed, Thumbprints

Axinom recommends to always use Credentials Protection in production scenarios.

Encrypting a secret using Axinom tool

The simplest way to encrypt a secret is using Credentials Protection Tool.

screen credentials protection tool
Figure 1. Credentials Protection Tool
The tool implements encryption in your browser, without sending any information you provide to any server.

Encrypting a secret programmatically

To encrypt a secret:

  1. Download the Encoding Service certificate using the Encoding API (GET /certificate) (the call requires authentication) and decode from base64

  2. Extract the public key from the certificate

  3. Encrypt the secret with the public key using the RSA algorithm and PKCS #1 padding

  4. Use the base64 encoded encrypted result instead of the original secret string

See the example code in C# below (click to expand).
// Read raw base64 text from file
var base64EncodedCert = await File.ReadAllTextAsync(@"path_to_file_with_base64_encoded_cert.txt");

// Convert it to bytes array
var certAsBytes = Convert.FromBase64String(base64EncodedCert);

// Create an X.509 certificate object from bytes
using var x509 = new X509Certificate2(certAsBytes);

// Get a reference to public key
using var rsa = x509.GetRSAPublicKey();

// Convert your credentials secret to a byte array
var password = "credentials secret";
var dataToEncrypt = Encoding.UTF8.GetBytes(password);

// Encrypt using RSA with PKCS #1 padding
var encrypted = rsa.Encrypt(dataToEncrypt, RSAEncryptionPadding.Pkcs1);

// Encode encrypted in base64
var base64Encoded = Convert.ToBase64String(encrypted);