AES encryption with AES/CBC/PKCS7

Report · Sep 24, 2025

We need to encrypt data using AES/CBC/PKCS7. However the CF encrypt method only accepts AES/CBC/PKCS5Padding. Any idea how to achieve this? We are using CF 2016.

Report · Sep 24, 2025

The only difference between PKCS#5 padding and PKCS#7 padding is that PKCS#5 uses a fixed 8-byle block size, and PKCS#7 allows for vairalbe block sizes between 1 and 255 bytes. So it's possible that using PKCS#5 may technically work. But if you absolutelty need to use PKCS#7 padding, you should be able to call an external Java class via createObject("java",...) -- such as BouncyCastle -- that supports PKCS#7

Also - ColdFusion 2016 has been EOL for a few years and is impacted by several critical vulnerabilities. While not directly related to your question, there are important security/stability reasons to migrate to a supported platform.

Report · Sep 25, 2025

In Java, as well as in ColdFusion (which runs on Java), "AES/CBC/PKCS5Padding" is the only padding available for block ciphers like AES. Nevertheless, as @Brian__ has mentioned, it is functionally identical to PKCS7 padding.
So, you don't need to encrypt data using "AES/CBC/PKCS7".

Under the bonnet, "PKCS5Padding" is implemented to work with AES, using a 16-byte block size, as required by AES. That results, in practice, to the PKCS#7 scheme. So if you specify

encrypt(data, key, "AES/CBC/PKCS5Padding", "Hex")

in ColdFusion, you will in fact get AES in CBC mode with PKCS7 padding (although it is named "PKCS5Padding" in Java’s API).

Report · Sep 25, 2025

Example using "AES/CBC/PKCS5Padding" in ColdFusion 2016:
https://trycf.com/gist/a731623422b8967baa1f363958329686/acf2016?theme=monokai

<cfscript>
    // Plaintext
    plaintext = "Secret message that needs AES encryption.";

    // Use raw binary 
    // AES requires a 16, 24, or 32 byte key (128, 192, 256 bits).
    // Here we'll use a 32-byte (256-bit) key for AES-256.
    keyBin = BinaryDecode("00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF", "hex");
    
    // Convert to Base64 strings for use with encrypt()
    key = ToBase64(keyBin);
    
    // AES CBC requires a 16-byte IV
    ivBin = BinaryDecode("0102030405060708090A0B0C0D0E0F10", "hex");

    // Encrypt: PKCS5Padding == PKCS7 padding here
    encrypted = encrypt(plaintext, key, "AES/CBC/PKCS5Padding", "hex", ivBin);

    // Decrypt
    decrypted = decrypt(encrypted, key, "AES/CBC/PKCS5Padding", "hex", ivBin);

    writeOutput("<b>Plaintext:</b> " & plaintext & "<br>");
    writeOutput("<b>Encrypted (Hex):</b> " & encrypted & "<br>");
    writeOutput("<b>Decrypted:</b> " & decrypted & "<br>");
</cfscript>

Report · Sep 30, 2025

Thank you for your suggestions and the example. This has been very helpful!

Report · Sep 30, 2025

My pleasure, @Dominik38524635qk7t .

AES encryption with AES/CBC/PKCS7

1 Correct answer