Encrypts/Decrypts files of any type and any size, using the AES or 3DES algorithms; Generates and escrows the symmetric encryption keys to a network-based Key Management solution - the StrongAuth KeyApplianceTM. It also automatically recovers the appropriate key from the key-management system when decrypting ciphertext; Supports the use of AES and Triple-DES algorithms to encrypt data - the choice can be made through a property setting or requested dynamically in the web-service request; the default is the AES algorithm, using a 256-bit key with Cipher Block Chaining (CBC) and ISO10126 padding. Supports the use of SHA1, SHA256, SHA384 and SHA512 digest algorithms - the default is SHA256.
Stores/Retrieves encrypted files automatically to/from public clouds such as Amazon's S3 or Microsoft's Azure. It can also store/retrieve encrypted files to/from private clouds built using Eucalyptus Walrus, from Storage Area Networks, Network Attached Storage and local file-systems; Works with applications in any programming language as long as the application can make a SOAP-based web-service request, Is a Simple Object Access Protocol (SOAP)-based web-service riding atop HTTPS. Works with AWS S3, Azure and Eucalyptus Walrus cloud-storage. Runs on any platform where Sun/Oracle Java (JDK6U27 at the time of writing) is supported - Windows, Linux, Solaris, OS-X, etc.; Includes free Java client programs to use the core-engine directly, and to use the web-service; Can be integrated to a FIPS 140-2 Hardware Security Module (HSM) for faster cryptographic processing; default implementation uses CPU and main memory for encryption/decryption;
Authenticates and authorizes requests against Active Directory or OpenDS.
Saves encrypted files using the W3C XML Encryption standard for portability. Escrows/retrieves encryption keys to/from the StrongAuth KeyApplianceTM which is a secure "black-box" appliance on the network that provides encryption, tokenization and key-management services for structured data-objects. Note that the default implementation of the SKCE requires a KeyAppliance on your network to work. However, you can modify the SKCE core to use another key-management service if you choose to. Authenticates and authorizes user-requests against an LDAP-based directory - either Active Directory or OpenDS; but, it can, technically, be configured to work with almost any LDAP-based directory service.
Helps prove compliance to regulatory requirements, such as PCI-DSS, FFIEC, HIPAA, GLBA 201 CMR 17.00 for encryption and key-management. Encrypts/decrypts at the rate of one (1) gigabyte per minute; the test machine was a physical box with an AMD Opteron Quad-Core CPU at 2.6 Ghz with 4GB of DRAM at 1333 Mhz. Your mileage may vary based on your machine's speed and capabilities; Does not maintain state, other than logs and temporary files; no encryption keys or unencrypted files are stored locally after the request is completed. Uses the W3C XMLEncryption standard to store meta-data about cryptographic information making it completely portable.
The StrongKey CryptoEngine™ is free and open-source software (FOSS) licensed under the GNU Library or Lesser General Public License version 2.0 (LGPLv2). See our License Section for more details.


We Have The Answers.
  1. What is the SKCE™?

    The StrongKey CryptoEngine™ (SKCE) is free and open-source software (FOSS) product, written in the Java programming language. The software is bundled as a web-application archive (WAR) that can be deployed in the Glassfish Java application server. It presents a web-service that allows a calling application to encrypt or decrypt files of any size and of any type, and move the files to and from public cloud-storage services, or storage networks and file-systems, automatically. It is designed to allow you to leverage public-clouds for storage while securing the data in accordance with regulatory requirements.

  2. Is there a quick introduction to the SKCE™?

    Our PDF presentation can give you a quick overview.

  3. Is there a support SLA available for the SKCE™?

    Yes. Please contact us for further details.

  4. What business benefits does the SKCE™ provide?

    The SKCE allows you to:

    • Use public clouds for storage, eliminating the need to lock-up capital in depreciating assets.
    • Encrypt sensitive data without having to worry about the mechanics of cryptography.
    • Use a proven key-management system to store and manage cryptographic keys.
    • Prove compliance to the encryption and key-management (EKM) part of PCI-DSS with little effort.
    • Use different public clouds for disaster recovery by storing multiple copies of encrypted files in AWS S3, Azure, Eucalyptus Walrus, etc.
    • Create a sophisticated and secure file-transfer scheme using public clouds to share data with partners, customers, branch-offices, etc.
  5. How does the SKCE™ work?

    There are two parts to the StrongKey CryptoEngine™ web-application - the web-service module and the "core" module.

    During an encryption process, the web-service module is responsible for:

    1. Receiving the web-service request from calling applications over SSL/TLS.
    2. Parsing and verifying request parameters.
    3. Authenticating the requester against the configured LDAP directory service (OpenDS or AD).
    4. Determining their authorization to request the service.
    5. Creating a unique folder for the input file so multiple submissions of the same file from one or more applications don't clobber each other.
    6. Calling the "core" module to perform the cryptographic processing and,
    7. Moving the returned file to a specified (or configured) target location. If the target location is a public cloud storage service, the web-service module authenticates to the cloud-service using configured access key(s).

    During encryption processing, the Core module is responsible for:

    1. Determining whether to use a new symmetric encryption key or a cached one.
    2. Generating a new symmetric encryption key (if needed) based on the configured/requested algorithm.
    3. Escrowing the symmetric key with a configured StrongAuth KeyApplianceTM (the code on SourceForge is configured to work with a DEMO appliance maintained by StrongAuth, Inc.; this can be changed in minutes to point to a different KeyAppliance if you have one on your network).
    4. Encrypting the plaintext (unencrypted) file while calculating a message-digest during the encryption process.
    5. Creating an XMLEncryption document containing cryptographic meta-data.
    6. Combining the XMLEncryption document and the ciphertext (encrypted) file into a single compressed ZIP file (with a file name containing a .XENC extension in it) and,
    7. Returning the XENC file to the calling application.

    During decryption processing, the Core module is responsible for:

    1. Unzipping the XENC file to extract the XMLEncryption meta-data.
    2. Determining the required symmetric key, the location where it can be retrieved, the cryptographic algorithm used for the original encryption, etc. from the meta-data document.
    3. Retrieving the required symmetric key from a StrongAuth KeyApplianceTM at the specified URL in the meta-data.
    4. Decrypting the ciphertext file while calculating a message-digest during the decryption process.
    5. Verifying the plaintext (decrypted) file by matching up the meta-data digest with a newly calculated digest and,
    6. Returning the plaintext file to the calling application.
  1. What platforms does SKCE™ support?

    The SKCE has been tested on the following platforms. If you successfully use it on any other platform, post your configuration on the SKCE Open Discussion Forum.

    Operating System

    • CentOS 5.5 64-bit
    • Windows7 Professional 64-bit

    Java Development Kit

    • Sun/Oracle JDK 6 Update 27

    Java Application Server

    • Glassfish 3.1

    LDAP Directory

    • OpenDS 2.2
    • Active Directory

    NetBeans IDE

    • 6.9.1
  2. Can I use SKCE on/with another platform?

    The SKCE was built using the CentOS 5.5 64-bit distribution of Linux. However, since it is a Java application, it will, technically, run on any platform that supports Java. The SKCE was also tested on Windows 7 Professional Edition. It is likely to run on most versions of Linux, UNIX, Windows and, perhaps, even the OS/400.

    The SKCE was built using the Sun/Oracle Java Development Kit 6 Update 26. However, it is likely to run with any update of JDK6 post 26. We have not tested it with JDK7 or OpenJDK; however, we plan to test it with Sun/Oracle JDK7 and the version of OpenJDK that ships with standard CentOS in the next few months. Once completed, we'll update the Supported Platforms section of this site.

    The SKCE was built using the Glassfish 3.1 Application Server. Given that Java Enterprise Edition (JEE5) Application Server vendors have different ways of configuring their servers, it is unlikely that SKCE will work with another application server without major modifications to the configuration process. The code in the servlet and the core-module is likely to run without any modifications, but configuration changes to the application server are most likely necessary.

    The SKCE was built using Netbeans IDE 6.9.1. The source code is also distributed as a Netbeans project. The project should be useable in the Eclipse IDE with a few tweaks for locating the dependent JARs.

    The SKCE was tested against OpenDS 2.0 and Active Directory running on Windows Server 2008 R2 for access control (authentication and authorization). The LDIF file in the distribution should work against almost all major LDAP Directory servers

    However, we haven't had time to test the SKCE with anything other than what we've defined in the Supported Platforms section. If you are able to make it work on/with another platform, post a message in the SKCE Open Discussions Forum; your peers, and we, will definitely appreciate the confirmation as well as details.

  3. Why should I use the SKCE when other FOSS tools are available?

    The industry is awash with free and open-source software (FOSS) tools and libraries for encryption: BouncyCastle, GPG, JCE, Mozilla, OpenSSL, ZIP (and many more we're probably unaware of). While the tool-kits and libraries are very capable and useful, they were designed to solve problems in a specific way that doesn't address the kinds of problems the SKCE addresses. The SKCE is the first to combine features to address the need to use public clouds while proving compliance to data-security regulations when sensitive data is involved. It does this by shielding the application developer from:

    1. Low-level code required for cryptographic processing;
    2. Low-level code required to integrate with a key-management system;
    3. Low-level code necessary to communicate with multiple cloud service providers. If you do not have a need to use public or private clouds, you can still use the SKCE and store your encrypted files on local or network storage within your environment.

    Combining these features and making it available as a web-service makes it possible to integrate legacy and newer internet-age applications to deliver a unique package of features to business users.

How It Works

A Secure Experience from Start to Finish.

1. Make a Web-Service Request.

2. Upload or Download files to a Cloud or a SAN/NAS Drive.

3. Repeat.

CryptoEngine- How It Works
CryptoEngine- How It Works

Get Started

Protecting Your Data. Easy as 1-2-3.


Download the Binary-zip File.

Before you begin you NEED to have,
  1. Glassfish 3.1
  2. OpenDS 2.2
  3. JDK 6
  4. JCE 6.0


  1. Extract/unzip the downloaded file.
  2. Setup SKCE
  3. Deploy SKCE.
  4. Configure SKCE.

View Wiki for detailed installation instructions.

Trouble Installing? Visit Support | Contact Us


  1. Run the Java application in command-line.
  2. Encrypt and Decrypt files using our web-services.

Check out our code!

Check out our SKCE™ web-service WSDL | XSD | Java Client


We Want You To Be Successful.


Free and Open-Source Software Just for You.

The StrongKey CryptoEngine™ (SKCE) is free and open-source software (FOSS) licensed under the GNU Library or Lesser General Public License version 2.0 (LGPLv2). If you want to modify and/or distribute the SKCE, you are welcome to do so under the terms of the same license.

Get In Touch

Thanks for looking. We'd love to hear from you.

sales @strongauth.com

support @strongauth.com

(408) 331-2000

150 W. Iowa Ave, Suite 204
Sunnyvale, CA 94086
USA (Map)

We are a provider of solutions in the fields of Enterprise Key Management, which includes public-key cryptography & symmetric-key management. If you're looking for solutions, or are confused about solutions to problems in these areas, contact us - we are certain we can help.