Posted on May 7, 2013 in Blog, NetSuite, Security | 0 comments

This is a tutorial on how to generate an AES key for use on NetSuite’s nlapiEncrypt encryption API.

First, I need to tackle why there is a need to do encryption inside NetSuite. Is there any use for the Encryption APIs provided by NetSuite? Short answer is YES.

For example, you are integrating with another service, an external one, and you would like to store the password for that service inside NetSuite. You cannot just leave it unencrypted and in plain text format for the world to see. It needs to be encrypted in some form or another. Using nlapiEncrypt, you can do this inside NetSuite.

nlapiEncrypt is described under NetSuite’s Documentation as follows:


nlapiEncrypt(s, algorithm, key)

Encrypts a clear text String using a SHA-1 hash function. This is the same encryption used for password fields.


  • s {String} [required] – String being encrypted
  • algorithm {String} [optional] – algorithm to use
  • key {String} [optional] – secret key to use
Algorithm Description Key
sha1 Hash function using SHA-1 Algorithm from NSA (default)
aes Symmetric encryption using AES Algorithm 128-bit, 192-bit, or 256-bit hex key
base64 Base-64 encoding
xor Exclusive-OR obfuscation


SHA-1 is the default algorithm used by nlapiEncrypt but it is a one-way hash and cannot be decrypted back. base64 is unsecure since you can easily decode the encoded string. The same goes for Exclusive-OR obfuscation.

To securely store passwords in NetSuite which you can decrypt, you need to use the AES encryption algorithm. This algorithm makes use of a key which you can use to encrypt and decrypt plaintext strings. A user without the key will not be able to decrypt the encrypted String.

Now, how do we generate an AES key for use on nlapiEncrypt? Here’s a simple, easy to follow, step-by-step guide:


What we need:

  1. OpenSSL Light Win32 or Win64 – depends on your Windows installation (current version: Win32/64 OpenSSL v1.0.1e Light)


  1. Download and install the application on your Windows machine.
  2. (Optional) Set your Path environment variable to the bin directory of Win64 Open SSL (i.e. C:\{Win32OpenSSLInstallationDirectory}\bin)
  3. Open your command prompt window – Start > Type cmd > hit Enter.
  4. (Optional) If you haven’t done the #2 step, change your working directory to the bin directory of Win64 Open SSL by typing “cd C:\{Win32OpenSSLInstallationDirectory}\bin” without the quotes.
    cd C:\OpenSSL\bin
  5. Type in “openssl enc -aes-128-ecb -k <yoursecretkey> -P” without the quotes. Note: <yoursecretkey> should be replaced with your desired secret key.
    openssl enc -aes-128-ecb -k mypassphrase -P
  6. OpenSSL will have an output like the one below.

openssl aes key generation 1 How to generate an AES key for nlapiEncrypt aes encryption [Tutorial]

The value you will get from the key is what you can now use as your key in nlapiEncrypt. So you can do the following in your SuiteScript code:

nlapiEncrypt('mypasswordtobeencrypted', 'aes', 'EB7CB21AA6FB33D3B1FF14BBE7DB4962');

The code above will result to this encrypted String:


Now you can store it safely in a plain text field in NetSuite.


AES keys have different key strengths. We have generated a 128-bit hex key in this tutorial. To generate 192-bit and 256-bit hex keys, you may replace 128 with 192 and 256 on the command respectively.

Note: NetSuite has a bug in which it cannot use 192-bit and 256-bit hex keys for nlapiEncrypt. When you use stronger keys, NetSuite will return an error saying, “ Illegal key size or default parameters”. Oh well…
Copyright & Legal Trademark Notices

NetSuite is a registered trademark of NetSuite Inc.

OpenSSL is a registered trademark of the OpenSSL Software Foundation, Inc.

All other trademarks are the property of their respective owners. All rights reserved.