diff --git a/inc/Maat_rule.h b/inc/Maat_rule.h
index 2de6aeb..858c300 100644
--- a/inc/Maat_rule.h
+++ b/inc/Maat_rule.h
@@ -145,7 +145,8 @@ enum MAAT_INIT_OPT
 	MAAT_OPT_STAT_FILE_PATH,			//VALUE is a const char*,MUST end with '\0',SIZE= strlen(string+'\0')+1.DEFAULT: no default.
 	MAAT_OPT_SCAN_DETAIL,				//VALUE is interger,SIZE=sizeof(int). 0: not return any detail;1: return  hit pos, not include regex grouping;
 										//  2 return hit pos and regex grouping pos;DEFAULT:0
-	MAAT_OPT_INSTANCE_NAME			//VALUE is a const char*,MUST end with '\0',SIZE= strlen(string+'\0')+1,no more than 11 bytes.DEFAULT: MAAT_$tableinfo_path$.
+	MAAT_OPT_INSTANCE_NAME,			//VALUE is a const char*,MUST end with '\0',SIZE= strlen(string+'\0')+1,no more than 11 bytes.DEFAULT: MAAT_$tableinfo_path$.
+	MAAT_OPT_DECRYPT_KEY			//VALUE is a const char*,MUST end with '\0',SIZE= strlen(string+'\0')+1. No DEFAULT.
 };
 //return -1 if failed, return 0 on success;
 int Maat_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT  type,const void* value,int size);
diff --git a/src/entry/Maat_api.cpp b/src/entry/Maat_api.cpp
index 22adfaa..e0c3bf9 100644
--- a/src/entry/Maat_api.cpp
+++ b/src/entry/Maat_api.cpp
@@ -545,6 +545,10 @@ int Maat_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const vo
 					,"%s",
 					(const char*)value);
 			break;
+		case MAAT_OPT_DECRYPT_KEY:
+			_feather->decrypt_key=(unsigned char*)malloc(size*sizeof(unsigned char));
+			memcpy(_feather->decrypt_key,value,size);
+			break;
 		default:
 			return -1;
 	}
@@ -566,6 +570,7 @@ int Maat_initiate_feather(Maat_feather_t feather)
 							maat_update_cb,
 							maat_finish_cb,
 							_feather,
+							_feather->decrypt_key,
 							_feather->logger);
 	if(_feather->update_tmp_scanner==NULL)
 	{
diff --git a/src/entry/Maat_rule.cpp b/src/entry/Maat_rule.cpp
index 9cbfd17..75e9fa5 100644
--- a/src/entry/Maat_rule.cpp
+++ b/src/entry/Maat_rule.cpp
@@ -28,7 +28,7 @@
 #include "mesa_fuzzy.h"
 #include "great_index_engine.h"
 
-int MAAT_FRAME_VERSION_1_8_20170524=1;
+int MAAT_FRAME_VERSION_1_9_20170609=1;
 const char *maat_module="MAAT Frame";
 
 const char* CHARSET_STRING[]={"NONE","gbk","big5","unicode","utf8","bin",
@@ -3006,6 +3006,7 @@ void *thread_rule_monitor(void *arg)
 								maat_update_cb,
 								maat_finish_cb,
 								feather,
+								feather->decrypt_key,
 								feather->logger);
 		pthread_mutex_unlock(&(feather->plugin_table_reg_mutex));
 		if(feather->update_tmp_scanner!=NULL)
diff --git a/src/entry/Maat_rule_internal.h b/src/entry/Maat_rule_internal.h
index 147a4a8..a3a8a76 100644
--- a/src/entry/Maat_rule_internal.h
+++ b/src/entry/Maat_rule_internal.h
@@ -372,6 +372,7 @@ struct _Maat_feather_t
 	char instance_name[MAX_TABLE_NAME_LEN];
 	char table_info_fn[MAX_TABLE_NAME_LEN];
 	pthread_mutex_t plugin_table_reg_mutex;
+	unsigned char* decrypt_key;
 //for stat>>>>
 	screen_stat_handle_t stat_handle;
 	int total_stat_id;
diff --git a/src/entry/Makefile b/src/entry/Makefile
index 65c5b52..b052f5e 100644
--- a/src/entry/Makefile
+++ b/src/entry/Makefile
@@ -8,7 +8,7 @@ GCOV_FLAGS	= -fprofile-arcs -ftest-coverage
 CFLAGS		+= $(OPTFLAGS)
 #CFLAGS		+= $(GCOV_FLAGS)
 LDDICTATOR	= -Wl,-wrap,malloc -Wl,-wrap,calloc -Wl,-wrap,free -Wl,-wrap,realloc
-LDFLAGS		= -lMESA_handle_logger -lMESA_htable -lpthread -lrt -lm -lrulescan -lpcre -lMESA_field_stat2 -lgcov
+LDFLAGS		= -lMESA_handle_logger -lMESA_htable -lpthread -lrt -lm -lrulescan -lpcre -lMESA_field_stat2 -lcrypto
 #LDFLAGS		+= $(LDDICTATOR)
 LDFLAGS		+= $(GCOV_FLAGS)
 MAILLIB = ../lib
diff --git a/src/entry/config_monitor.cpp b/src/entry/config_monitor.cpp
index 7582077..360e99c 100644
--- a/src/entry/config_monitor.cpp
+++ b/src/entry/config_monitor.cpp
@@ -4,7 +4,7 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
-
+#include <openssl/evp.h>
 const char*	module_config_monitor="CONFIG_MONITOR";
 
 #define	CM_UPDATE_TYPE_ERR	-1
@@ -13,6 +13,14 @@ const char*	module_config_monitor="CONFIG_MONITOR";
 #define	CM_MAX_TABLE_NUM	256
 #define	MAX_CONFIG_FN_LEN	256
 #define	MAX_CONFIG_LINE		1024*4
+
+#ifndef MAX
+#define MAX(a, b)  	(((a) > (b)) ? (a) : (b))
+#endif
+
+#ifndef MIN
+#define MIN(a, b)  	(((a) < (b)) ? (a) : (b))
+#endif
 //#define	USING_DICTATOR	1
 extern "C" void __real_free(void*p);
 struct cm_table_info_t
@@ -20,7 +28,118 @@ struct cm_table_info_t
 	char table_name[MAX_CONFIG_FN_LEN];
 	char cfg_path[MAX_CONFIG_FN_LEN];
 	int cfg_num;
+	char encryp_algorithm[MAX_CONFIG_FN_LEN];
 };
+int decrypt_open(FILE* in,const unsigned char* key, const char* algorithm,unsigned char**pp_out,void *logger)
+{
+
+	unsigned char inbuf[MAX_CONFIG_LINE];
+	int inlen, out_blk_len=0;
+	int out_buff_len=0,buff_offset=0;
+	EVP_CIPHER_CTX *ctx;
+
+	unsigned char cipher_key[EVP_MAX_KEY_LENGTH];
+	unsigned char cipher_iv[EVP_MAX_IV_LENGTH];
+	memset(cipher_key,0,sizeof(cipher_key));
+	memset(cipher_iv,0,sizeof(cipher_iv));
+
+	const EVP_CIPHER *cipher;
+	const EVP_MD *dgst=NULL;
+	const unsigned char *salt=NULL;
+	int ret=0;
+
+	OpenSSL_add_all_algorithms();
+	cipher=EVP_get_cipherbyname(algorithm);
+	if(cipher==NULL)
+	{
+		MESA_handle_runtime_log(logger,RLOG_LV_FATAL,module_config_monitor,"Not cipher:%s not supported.");
+		return 0;
+	}
+	dgst=EVP_get_digestbyname("md5");
+	if(dgst==NULL)
+	{
+		MESA_handle_runtime_log(logger,RLOG_LV_FATAL,module_config_monitor,"Get MD5 object failed.");
+		return 0;
+	}
+	ret=EVP_BytesToKey(cipher,dgst,salt,key,strlen((const char*)key),1,cipher_key,cipher_iv);
+	if(ret==0)
+	{
+		MESA_handle_runtime_log(logger,RLOG_LV_FATAL,module_config_monitor,"Key and IV generatioin failed.");
+		return 0;
+	}
+     /* Don't set key or IV right away; we want to check lengths */
+	ctx = EVP_CIPHER_CTX_new();
+	EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL,0);
+	OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
+	OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
+	 
+	/* Now we can set key and IV */
+	EVP_CipherInit_ex(ctx, NULL, NULL, cipher_key, cipher_iv, 0);
+	out_buff_len=16*1024;
+	*pp_out=(unsigned char*)malloc(out_buff_len*sizeof(unsigned char));
+	for (;;) 
+	{
+		inlen = fread(inbuf, 1, MAX_CONFIG_LINE, in);
+		if (inlen <= 0)
+			break;
+		out_blk_len=out_buff_len-buff_offset;
+		if (!EVP_CipherUpdate(ctx, *pp_out+buff_offset, &out_blk_len, inbuf, inlen))
+		{
+			MESA_handle_runtime_log(logger,RLOG_LV_FATAL,module_config_monitor,"EVP_CipherUpdate failed.");
+			EVP_CIPHER_CTX_free(ctx);
+			goto error_out;
+		}
+		buff_offset+=out_blk_len;
+		if(buff_offset==out_buff_len)
+		{
+		out_buff_len*=2;
+		*pp_out=(unsigned char*)realloc(*pp_out,out_buff_len);
+		}
+	}
+	if (!EVP_CipherFinal_ex(ctx, *pp_out+buff_offset, &out_blk_len))
+	{
+		MESA_handle_runtime_log(logger,RLOG_LV_FATAL,module_config_monitor,"EVP_CipherFinal_ex failed.");
+		EVP_CIPHER_CTX_free(ctx);
+		goto error_out;
+	}
+	buff_offset+=out_blk_len;
+	EVP_CIPHER_CTX_free(ctx);
+	return buff_offset;
+error_out:
+	free(*pp_out);
+	*pp_out=NULL;
+	return 0;
+}
+char* read_nxt_line_from_buff(const unsigned char* buff, int buff_size, int* offset, char*line ,int line_size)
+{
+	int this_offset=0;
+	const unsigned char* p;
+	//search for CRLF, aka '\r', '\n' or "\r\n"
+	p=(const unsigned char*)memchr(buff+*offset,'\r',buff_size-*offset);
+	if(p==NULL)
+	{
+		p=(const unsigned char*)memchr(buff+*offset,'\n',buff_size-*offset);
+	}
+	else
+	{
+		if(p-buff<buff_size-1&&*(p+1)=='\n')
+		{
+			p++;
+		}
+	}
+	if(p!=NULL)//point to next character
+	{
+		p++;
+	}
+	else	//Treat rest buff has no CRLF as a line.
+	{
+		p=buff+buff_size;
+	}
+	this_offset=p-(buff+*offset);
+	memcpy(line,buff+*offset,MIN(this_offset,line_size));
+	*offset+=this_offset;
+	return line;
+}
 //replacement of glibc scandir, to adapt dictator malloc wrap
 #define	ENLARGE_STEP	1024
 int my_scandir(const char *dir, struct dirent ***namelist,
@@ -202,12 +321,15 @@ int cm_read_cfg_index_file(const char* path,struct cm_table_info_t* idx,int size
 	FILE* fp=NULL;
 	fp=fopen(path,"r");
 	int ret=0,i=0;
+	char line[MAX_CONFIG_LINE];
 	while(!feof(fp))
 	{
-		ret=fscanf(fp,"%s\t%d\t%s",idx[i].table_name
+		fgets(line,sizeof(line),fp);
+		ret=sscanf(line,"%s\t%d\t%s\t%s",idx[i].table_name
 								,&(idx[i].cfg_num)
-								,idx[i].cfg_path);
-		if(ret==3&&idx[i].cfg_num>=0)//jump over empty line
+								,idx[i].cfg_path
+								,idx[i].encryp_algorithm);
+		if((ret==3||ret==4)&&idx[i].cfg_num>=0)//jump over empty line
 		{
 			i++;
 		}
@@ -224,17 +346,40 @@ int cm_read_cfg_index_file(const char* path,struct cm_table_info_t* idx,int size
 int cm_read_table_file(struct cm_table_info_t* index,
 							void (*update)(const char*,const char*,void*),
 							void* u_para,
+							const unsigned char* key,
 							void* logger)
 {
 	int cfg_num=0,i=0;
 	char line[MAX_CONFIG_LINE]={0},*ret_str=NULL;
+	unsigned char* decrypt_buff=NULL;
+	int decrypt_len=0,do_decrypt=0,decrypt_offset=0;
 	FILE*fp=fopen(index->cfg_path,"r");
 	if(fp==NULL)
 	{
 		MESA_handle_runtime_log(logger,RLOG_LV_FATAL,module_config_monitor,"update error,open %s failed.",index->cfg_path);
 		return -1;
 	}
-	fscanf(fp,"%d\n",&cfg_num);
+	if(strlen(index->encryp_algorithm)>0)
+	{
+		if(key==NULL||strlen((const char*)key)==0)
+		{
+			MESA_handle_runtime_log(logger,RLOG_LV_FATAL,module_config_monitor,"update error,no key to decrypt %s.",index->cfg_path);
+			return -1;
+		}
+		decrypt_len=decrypt_open(fp, key,index->encryp_algorithm, &decrypt_buff,logger);
+		if(decrypt_len==0)
+		{
+			MESA_handle_runtime_log(logger,RLOG_LV_FATAL,module_config_monitor,"update error,%s decrypt failed.",index->cfg_path);
+			return -1;
+		}
+		read_nxt_line_from_buff(decrypt_buff, decrypt_len, &decrypt_offset, line, sizeof(line));
+		sscanf(line,"%d\n",&cfg_num);
+		do_decrypt=1;
+	}
+	else
+	{
+		fscanf(fp,"%d\n",&cfg_num);
+	}
 	if(cfg_num!=index->cfg_num)
 	{
 		MESA_handle_runtime_log(logger,RLOG_LV_FATAL,module_config_monitor ,"file %s config num not matched",index->cfg_path);
@@ -244,7 +389,14 @@ int cm_read_table_file(struct cm_table_info_t* index,
 	for(i=0;i<cfg_num;i++)
 	{
 		line[sizeof(line)-1]='\0';
-		ret_str=fgets(line,sizeof(line),fp);
+		if(do_decrypt==1)
+		{
+			ret_str=read_nxt_line_from_buff(decrypt_buff, decrypt_len, &decrypt_offset, line, sizeof(line));
+		}
+		else
+		{
+			ret_str=fgets(line,sizeof(line),fp);
+		}
 		if(ret_str==NULL)
 		{
 			MESA_handle_runtime_log(logger,RLOG_LV_FATAL,module_config_monitor ,
@@ -262,6 +414,10 @@ int cm_read_table_file(struct cm_table_info_t* index,
 		update(index->table_name,line,u_para);
 	}
 	fclose(fp);
+	if(decrypt_buff!=NULL)
+	{
+		free(decrypt_buff);
+	}
 	return 0;
 }
 const char* path2filename(const char*path)
@@ -281,6 +437,7 @@ void config_monitor_traverse(unsigned int version,const char*idx_dir,
 							void (*update)(const char* ,const char*,void* ),
 							void (*finish)(void*),
 							void* u_para,
+							const unsigned char* dec_key,
 							void* logger)
 {
 
@@ -305,7 +462,7 @@ void config_monitor_traverse(unsigned int version,const char*idx_dir,
 			start(new_version,update_type,u_para);
 			for(j=0;j<table_num;j++)
 			{
-				cm_read_table_file(table_array+j,update,u_para,logger);
+				cm_read_table_file(table_array+j,update,u_para,dec_key,logger);
 			}
 			finish(u_para);
 		}
diff --git a/src/entry/config_monitor.h b/src/entry/config_monitor.h
index f39f023..6866ea2 100644
--- a/src/entry/config_monitor.h
+++ b/src/entry/config_monitor.h
@@ -9,6 +9,7 @@ void config_monitor_traverse(unsigned int version,const char*idx_dir,
 							void (*update)(const char* ,const char*,void* ),//table name ,line ,u_para
 							void (*finish)(void*),//u_para
 							void* u_para,
+							const unsigned char* dec_key,
 							void* logger);
 #endif
 
diff --git a/test/maat_test.cpp b/test/maat_test.cpp
index df24a86..e6b7603 100644
--- a/test/maat_test.cpp
+++ b/test/maat_test.cpp
@@ -462,10 +462,11 @@ int main(int argc,char* argv[])
 	int g_iThreadNum=4;
 	const char*	table_info_path="./table_info.conf";
 	const char* json_path="./maat_json.json";
-	const char* ful_cfg_dir="./rule/full/index";
-	const char* inc_cfg_dir="./rule/inc/index";
+	const char* ful_cfg_dir="./rule/full/index/";
+	const char* inc_cfg_dir="./rule/inc/index/";
 	const char* log_file="./test.log";
 	const char* stat_file="./scan_staus.log";
+	const char* decrypt_key="mesa2017wy";
 	int scan_detail=0;
 	scan_status_t mid=NULL;
 	int wait_second=4;
@@ -473,6 +474,7 @@ int main(int argc,char* argv[])
 
 	feather=Maat_feather(g_iThreadNum, table_info_path, logger);
 	Maat_set_feather_opt(feather,MAAT_OPT_INSTANCE_NAME,"demo", strlen("demo")+1);
+	Maat_set_feather_opt(feather,MAAT_OPT_DECRYPT_KEY,decrypt_key, strlen(decrypt_key)+1);
 
 	if(argc>1&&0==strcmp(argv[1],"update"))
 	{
diff --git a/test/rule/full/HTTP_URL.local.encrypt b/test/rule/full/HTTP_URL.local.encrypt
new file mode 100644
index 0000000..ef2f435
--- /dev/null
+++ b/test/rule/full/HTTP_URL.local.encrypt
@@ -0,0 +1,2 @@
+ñë{àÞ÷1©T	XÒ·ÚòáF× ¡\y<Z°ç”Ý=jÝžZŒè­ŸR:,–üÇËà“¿�°?sò~“¼7Iã+MçƒB�N¾Uí�ÍæÌl‘›÷mIž+òXù,¸ÖoX
¬/¾HšrðÉß$9‘
Ï[êe>{†ee"ŠS#‚¤Óe}e¾šÑhùºÍš†þ×’ávÉh…þ´L’ïËè6™
+ÒfIâ%­Ÿ­›
\ No newline at end of file
diff --git a/test/rule/full/index/full_config_index.0000000001 b/test/rule/full/index/full_config_index.0000000001
index 59f5edf..9a819f6 100644
--- a/test/rule/full/index/full_config_index.0000000001
+++ b/test/rule/full/index/full_config_index.0000000001
@@ -4,7 +4,7 @@ TEST_PLUGIN_TABLE	3	./rule/full/TEST_PLUGIN_TABLE.local
 HTTP_REGION	1	./rule/full/HTTP_REGION.local
 IP_CONFIG	2	./rule/full/IP_CONFIG.local
 CONTENT_SIZE	2	./rule/full/CONTENT_SIZE.local
-HTTP_URL	5	./rule/full/HTTP_URL.local
+HTTP_URL	5	./rule/full/HTTP_URL.local.encrypt aes-128-cbc
 HTTP_HOST	1	./rule/full/HTTP_HOST.local
 QD_ENTRY_INFO	3	./rule/full/QD_ENTRY_INFO.local
 FILE_DIGEST	1	./rule/full/FILE_DIGEST.local