PowerShell examples for symmetric and asymmetric encryption with the .Net cryptography model

PSEncryptDecrypt.ps1

# Example code for encrypting and decrypting secrets with .Net cryptography using either symmetric or asymmetric encryption

###################################
##     SYMMETRIC ENCRYPTION      ##
## Using AES 256-bit in CBC mode ##
###################################

# Create an AES key and Initialization vector
$AES = [System.Security.Cryptography.Aes]::Create()
$Key = [System.Convert]::ToBase64String($aes.Key)
$IV = [System.Convert]::ToBase64String($aes.IV)
# Save both the key and IV and secure the key
# Use the same key and IV to encrypt and decrypt
# Recommendation is to use a different IV for each encryption where possible, eg:
# $AES.GenerateIV()
# $IV = [System.Convert]::ToBase64String($aes.IV)

# Encrypt
Function Encrypt-Data {
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=0)]
        [String]$Key,
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=1)]
        [String]$IVector,
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=2)]
        [String]$Data
    )

    $KeyBytes = [System.Convert]::FromBase64String($Key)
    $IVBytes = [System.Convert]::FromBase64String($IVector)
    $aes = [System.Security.Cryptography.Aes]::Create()
    $aes.Key = $KeyBytes
    $aes.IV = $IVBytes

    $encryptor = $aes.CreateEncryptor()
    [System.Byte[]]$Bytes =  [System.Text.Encoding]::Unicode.GetBytes($Data)
    $EncryptedBytes = $encryptor.TransformFinalBlock($Bytes,0,$bytes.Length)
    $EncryptedBase64String = [System.Convert]::ToBase64String($EncryptedBytes)

    Return $EncryptedBase64String
}

# Decrypt
Function Decrypt-Data {
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=0)]
        [String]$Key,
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=1)]
        [String]$IVector,
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=2)]
        [String]$Data
    )

    $KeyBytes = [System.Convert]::FromBase64String($Key)
    $IVBytes = [System.Convert]::FromBase64String($IVector)
    $aes = [System.Security.Cryptography.Aes]::Create()
    $aes.Key = $KeyBytes
    $aes.IV = $IVBytes

    $EncryptedBytes = [System.Convert]::FromBase64String($Data)
    $Decryptor = $aes.CreateDecryptor()
    $DecryptedBytes = $Decryptor.TransformFinalBlock($EncryptedBytes,0,$EncryptedBytes.Length)
    $DecryptedString = [System.Text.Encoding]::Unicode.GetString($DecryptedBytes)

    Return $DecryptedString
}

# Example 
$Key = "/L5b+B9W1wS+dV2M2yD66W7V6..."
$IV = "+p7ppGLz7XOHR..."
$TextToEncrypt = "SuperSenstiveData"
$EncryptedText = Encrypt-Data -Data $TextToEncrypt -Key $Key -IVector $IV

$DecryptedText = Decrypt-Data -Data $EncryptedText -Key $Key -IVector $IV



#################################################
##            ASYMMTRIC ENCRYPTION             ##
## Using RSACng 3072-bit with SHA-384 padding  ##
## Will encrypt maximum 286 bytes which in     ##
## UTF-8 or ASCII will be up to 286 characters ##
## but in Unicode will be 143                  ##
## Requires .Net Framework 4.6 minimum         ##
#################################################

# Create the pub/prv key pair
$RSACNG = [System.Security.Cryptography.RSACng]::new(3072)
$ExportedPublicKey = $RSACNG.key.Export([System.Security.Cryptography.CngKeyBlobFormat]::GenericPublicBlob)
$ExportedPrivateKey = $RSACNG.key.Export([System.Security.Cryptography.CngKeyBlobFormat]::GenericPrivateBlob)
$PublicKey = [System.Convert]::ToBase64String($ExportedPublicKey)
$PrivateKey = [System.Convert]::ToBase64String($ExportedPrivateKey)
# Save the public and private keys and secure the public key
# Use the public key to encrypt and the private key to decrypt

# Encrypt
Function Encrypt-Data {
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=0)]
        [String]$Data,
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=1)]
        [String]$PublicKey
    )

    $PublicKeyBytes = [System.Convert]::FromBase64String($PublicKey)
    [System.Byte[]]$DataBytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
    $CNGPublicKey = [System.Security.Cryptography.CngKey]::Import($PublicKeyBytes,[System.Security.Cryptography.CngKeyBlobFormat]::GenericPublicBlob)
    $Encryptor = [System.Security.Cryptography.RSACng]::new($CNGPublicKey)
    $EncryptedBytes = $Encryptor.Encrypt($DataBytes,[System.Security.Cryptography.RSAEncryptionPadding]::OaepSHA384)
    $EncryptedBase64String = [System.Convert]::ToBase64String($EncryptedBytes)

    return $EncryptedBase64String
}

# Decrypt
Function Decrypt-Data {
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=0)]
        [String]$Data,
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=1)]
        [String]$PrivateKey
    )

    $PrivateKeyBytes = [System.Convert]::FromBase64String($PrivateKey)
    $CNGPrivateKey = [System.Security.Cryptography.CngKey]::Import($PrivateKeyBytes,[System.Security.Cryptography.CngKeyBlobFormat]::GenericPrivateBlob)
    $Decryptor = [System.Security.Cryptography.RSACng]::new($CNGPrivateKey)
    $EncryptedBytes = [System.Convert]::FromBase64String($Data)
    $DecryptedBytes = $Decryptor.Decrypt($EncryptedBytes,[System.Security.Cryptography.RSAEncryptionPadding]::OaepSHA384)
    $DecryptedString = [System.Text.Encoding]::UTF8.GetString($DecryptedBytes)

    return $DecryptedString
}

# Example
$PublicKey = "UlNBMQAMAAADAAAAgAEAAAAAAAAAAAAAAQABy2LZ..."
$TextToEncrypt = "SuperSenstiveData"
$EncryptedText = Encrypt-Data -Data $TextToEncrypt -PublicKey $PublicKey

$PrivateKey = "UlNBMgAMAAADAAAAgAEA...."
$DecryptedText = Decrypt-Data -Data $EncryptedText -PrivateKey $PrivateKey