--- source_url: https://www.pubnub.com/docs/sdks/java/api-reference/encryption title: Encryption API for Java SDK updated_at: 2026-06-26T11:05:47.258Z sdk_name: PubNub Java SDK sdk_version: 6.4.5 --- > Documentation Index > For a curated overview of PubNub documentation, see: https://www.pubnub.com/docs/llms.txt > For the full list of all documentation pages, see: https://www.pubnub.com/docs/llms-full.txt # Encryption API for Java SDK PubNub Java SDK, use the latest version: 6.4.5 Install: ```bash Add PubNub dependency to your build@6.4.5 ``` PubNub Java SDK includes message and file encryption. This page explains how to configure the `cryptoModule` and how to encrypt and decrypt data. The SDK supports 128-bit Advanced Encryption Standard (AES) and 256-bit AES in Cipher Block Chaining (CBC) mode (AES-CBC). For general SDK configuration and initialization, refer to the [Configuration](https://www.pubnub.com/docs/sdks/java/api-reference/configuration) page. ## Configuration ### cryptoModule configuration To configure the `cryptoModule` to encrypt all messages/files, you can use the following methods in the Java SDK: ```java // encrypts using 256-bit AES-CBC cipher (recommended) // decrypts data encrypted with the legacy and the 256-bit AES-CBC ciphers pnConfiguration.cryptoModule = CryptoModule.createAesCbcCryptoModule("enigma", true): // encrypts with 128-bit cipher key entropy (legacy) // decrypts data encrypted with the legacy and the 256-bit AES-CBC ciphers pnConfiguration.cryptoModule = CryptoModule.createLegacyCryptoModule("enigma", true); ``` Your client can decrypt content produced by either `cryptoModule` or legacy `cipherKey`-based encryption. This allows the client to read historical messages and messages from older clients while you encrypt new messages with the stronger AES-256-CBC cipher. :::warning Older SDK versions Apps built using the SDK versions lower than 6.3.6 will not be able to decrypt data encrypted using the 256-bit AES-CBC cipher. Update your clients or encrypt data using the legacy algorithm. ::: :::note SDK initialization required Before you use encryption methods, ensure your PubNub client is configured with publish/subscribe keys and a user ID. See the [Configuration guide](https://www.pubnub.com/docs/sdks/java/api-reference/configuration#initialization) for setup instructions. ::: ### Relationship between cryptoModule and cipherKey The `cryptoModule` supersedes the `cipherKey` parameter. If you pass `customCipherKey` to `encrypt`/`decrypt` or `cipherKey` to stream methods, that argument overrides the configured `cryptoModule` for that operation and uses legacy AES-128 encryption. For partial encryption, create a separate `cryptoModule` instance and use it only where needed. ## Encryption methods ### Encrypt Use this function to encrypt data. :::warning Deprecated The `cipherKey` parameter in this method is deprecated. We recommend that you configure a separate instance of the [cryptoModule](https://www.pubnub.com/docs/sdks/java/api-reference/configuration#cryptomodule) and use it for partial encryption. If you pass `cipherKey` as an argument, it overrides the `cryptoModule` configuration and the legacy encryption with 128-bit cipher-key entropy is used. ::: #### Method(s) To `encrypt` the data you can use the following method(s) in Java SDK. ```java pubnub.encrypt(data, customCipherKey) ``` | Parameter | Type | Required | Default | Description | | --- | --- | --- | --- | --- | | data | String | Yes | | The `data` to `encrypt`. | | customCipherKey | String | Optional | | Cipher key to use for encryption. If provided, the legacy encryption with 128-bit cipher-key entropy is used. If not provided, the `cryptoModule` from PubNub config will be used. For more information, refer to [Crypto module configuration](https://www.pubnub.com/docs/sdks/java/api-reference/configuration#cryptomodule). | #### Sample code ##### Encrypt part of message ```java CryptoModule aesCbcCryptoModule = CryptoModule.createAesCbcCryptoModule("pn-9F3kQ7zR2xV8mB1tD6wL4yH0sN5cJ", true); String stringToBeEncrypted = "string to be encrypted"; byte[] encryptedData = aesCbcCryptoModule.encrypt(stringToBeEncrypted.getBytes(java.nio.charset.StandardCharsets.UTF_8)); ``` ### Encrypt file input stream Encrypts input stream with a cipher key. :::warning Deprecated The `cipherKey` parameter in this method is deprecated. We recommend that you configure a separate instance of the [cryptoModule](https://www.pubnub.com/docs/sdks/java/api-reference/configuration#cryptomodule) and use it for partial encryption. If you pass `cipherKey` as an argument, it overrides the `cryptoModule` configuration and the legacy encryption with 128-bit cipher-key entropy is used. ::: #### Method(s) ```java pubnub.encryptInputStream(inputStream, cipherKey) ``` | Parameter | Description | | --- | --- | | `inputStream` *Type: InputStreamDefault: n/a | Stream with content to encrypt. | | `cipherKey`Type: StringDefault: `PNConfiguration.getCipherKey()` | If provided, the legacy encryption with 128-bit cipher-key entropy is used. If not provided, the `cryptoModule` from PubNub config will be used. For more information, refer to [Crypto module configuration](https://www.pubnub.com/docs/sdks/java/api-reference/configuration#cryptomodule) | #### Sample code ```java CryptoModule aesCbcCryptoModule = CryptoModule.createAesCbcCryptoModule("pn-9F3kQ7zR2xV8mB1tD6wL4yH0sN5cJ", true); String stringToBeEncrypted = "string to be encrypted"; InputStream inputStream = new java.io.ByteArrayInputStream(stringToBeEncrypted.getBytes(java.nio.charset.StandardCharsets.UTF_8)); InputStream encryptedStream = aesCbcCryptoModule.encryptStream(inputStream); ``` #### Returns InputStream with encrypted data. ## Decryption methods ### Decrypt Use this function to decrypt data. :::warning Deprecated The `cipherKey` parameter in this method is deprecated. We recommend that you configure a separate instance of the [cryptoModule](https://www.pubnub.com/docs/sdks/java/api-reference/configuration#cryptomodule) and use it for partial encryption. If you pass `cipherKey` as an argument, it overrides the `cryptoModule` configuration and the legacy encryption with 128-bit cipher-key entropy is used. ::: #### Method(s) To `decrypt` the data you can use the following method(s) in Java SDK. ```java pubnub.decrypt(data, customCipherKey) ``` | Parameter | Description | | --- | --- | | `data` *Type: String | The `data` to `decrypt`. | | `customCipherKey`Type: String | Cipher key to use for decryption. | #### Sample code ```java CryptoModule aesCbcCryptoModule = CryptoModule.createAesCbcCryptoModule("pn-9F3kQ7zR2xV8mB1tD6wL4yH0sN5cJ", true); String stringToBeEncrypted = "string to be encrypted"; byte[] encryptedData = aesCbcCryptoModule.encrypt(stringToBeEncrypted.getBytes(java.nio.charset.StandardCharsets.UTF_8)); byte[] decryptedData = aesCbcCryptoModule.decrypt(encryptedData); ``` ### Decrypt file input stream Decrypts input stream with a cipher key. :::warning Deprecated The `cipherKey` parameter in this method is deprecated. We recommend that you configure a separate instance of the [cryptoModule](https://www.pubnub.com/docs/sdks/java/api-reference/configuration#cryptomodule) and use it for partial encryption. If you pass `cipherKey` as an argument, it overrides the `cryptoModule` configuration and the legacy encryption with 128-bit cipher-key entropy is used. ::: #### Method(s) ```java pubnub.decryptInputStream(inputStream, cipherKey) ``` | Parameter | Description | | --- | --- | | `inputStream` *Type: InputStreamDefault: n/a | Stream with content encrypted data. | | `cipherKey`Type: StringDefault: `PNConfiguration.getCipherKey()` | Cipher key to use for encryption. If provided, the legacy encryption with 128-bit cipher-key entropy is used. If not provided, the `cryptoModule` from PubNub config will be used. For more information, refer to [Crypto module configuration](https://www.pubnub.com/docs/sdks/java/api-reference/configuration#cryptomodule). | #### Sample code ```java CryptoModule aesCbcCryptoModule = CryptoModule.createAesCbcCryptoModule("pn-9F3kQ7zR2xV8mB1tD6wL4yH0sN5cJ", true); String stringToBeEncrypted = "string to be encrypted"; InputStream inputStream = new java.io.ByteArrayInputStream(stringToBeEncrypted.getBytes(java.nio.charset.StandardCharsets.UTF_8)); InputStream encryptedStream = aesCbcCryptoModule.encryptStream(inputStream); InputStream decryptedStream = aesCbcCryptoModule.decryptStream(encryptedStream); ``` #### Returns InputStream with decrypted data. ## Terms in this document * **Publish Key** - A unique identifier that allows your application to send messages to PubNub channels. It's part of your app's credentials and should be kept secure. * **Subscribe Key** - A unique identifier that allows your application to receive messages from PubNub channels. It's part of your app's credentials and should be kept secure. * **User** - An individual or entity that interacts with a system, application, or service. In PubNub, a user typically refers to someone who sends or receives messages through the platform, identified by a unique user ID or username. * **User ID** - UTF-8 encoded, unique string of up to 92 characters used to identify a single client (end user, device, or server) that connects to PubNub.