If you are encrypting the Message payload, there are many options.

First, you should use TLS between the client and the Apigee Edge endpoint. This provides transport-level security including encryption of the communication.

After the message arrives at your Apigee Edge API Proxy, it's unencrypted. Your api proxy logic runs in the "message layer", which is above the Transport layer. The transport has completed and your API proxy sees the message plaintext.

At this point if you would like the API Proxy to encrypt the message you have options.

• AES encryption as you found
• RSA or public/private key encryption
• Any other algorithm supported by Java - Blowfish, DES, 3DES...
• There are also some special cases like encrypted JWT, and XML Encryption. Search on community and you will find links for same.

I have never produced an example showing how to do RSA encryption of payloads in a Java callout. It's nothing novel or exotic. It would work the same way, basically, as AES, except you'd use a different crypto in the Java code.

UPDATE: I have produced such an example. See here.

The key thing is, on the other side... the upstream.... whatever is receiving the message, you need to implement the decryptor.

AES is pretty easy and well supported. If you're choosing, that seems a safe bet.

RSA is slow for cryptographic operations. Because of that, most practical uses of RSA for encryption of payloads larger than ~214 bytes (practical block size for RSA crypto with OAEP padding) actually employ a hybrid encryption. Basically: For encryption: auto-generate a symmetric AES key, and AES-encrypt the payload with that, and then RSA-encrypt the AES key with the RSA Public Key. Concatenate the two ciphertexts to the receiver. For decryption, the receiver splits the two ciphertexts (based on length), then uses the RSA Private key to decrypt the AES key from the first part, and uses the resulting AES key to decrypt the second part, to receive the original plaintext payload.