diff --git a/server/common/crypto.go b/server/common/crypto.go
index 70581920..0d80a078 100644
--- a/server/common/crypto.go
+++ b/server/common/crypto.go
@@ -41,7 +41,7 @@ func DecryptString(secret string, data string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	d, err = decrypt([]byte(secret), d)
+	d, err = DecryptAESGCM([]byte(secret), d)
 	if err != nil {
 		return "", err
 	}
@@ -143,7 +143,7 @@ func EncryptAESGCM(key []byte, plaintext []byte) ([]byte, error) {
 	return gcm.Seal(nonce, nonce, plaintext, nil), nil
 }
 
-func decrypt(key []byte, ciphertext []byte) ([]byte, error) {
+func DecryptAESGCM(key []byte, ciphertext []byte) ([]byte, error) {
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
diff --git a/server/ctrl/tmpl.go b/server/ctrl/tmpl.go
index 0135f5bc..06c35f49 100644
--- a/server/ctrl/tmpl.go
+++ b/server/ctrl/tmpl.go
@@ -115,7 +115,19 @@ var tmplFuncs = template.FuncMap{
 		}
 		return strings.Join(chunks, ", "), nil
 	},
-	"encryptGCM": func(str string, key string) (string, error) {
+	"debug": func(data string) (string, error) {
+		Log.Debug("ctrl/tmpl data=%s", data)
+		return data, nil
+	},
+	"decryptGCM": func(key string, str string) (string, error) {
+		t, err := base64.StdEncoding.DecodeString(str)
+		if err != nil {
+			return "", err
+		}
+		d, err := DecryptAESGCM([]byte(key), t)
+		return string(d), err
+	},
+	"encryptGCM": func(key string, str string) (string, error) {
 		data, err := EncryptAESGCM([]byte(key), []byte(str))
 		return base64.StdEncoding.EncodeToString(data), err
 	},