Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PowerShell examples for symmetric and asymmetric encryption with the .Net cryptography model
# Example code for encrypting and decrypting secrets with .Net cryptography using either symmetric or asymmetric encryption
###################################
## SYMMETRIC ENCRYPTION ##
## Using AES 256-bit in CBC mode ##
###################################
# Create an AES key and Initialization vector
$AES = [System.Security.Cryptography.Aes]::Create()
$Key = [System.Convert]::ToBase64String($aes.Key)
$IV = [System.Convert]::ToBase64String($aes.IV)
# Save both the key and IV and secure the key
# Use the same key and IV to encrypt and decrypt
# Recommendation is to use a different IV for each encryption where possible, eg:
# $AES.GenerateIV()
# $IV = [System.Convert]::ToBase64String($aes.IV)
# Encrypt
Function Encrypt-Data {
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=0)]
[String]$Key,
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=1)]
[String]$IVector,
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=2)]
[String]$Data
)
$KeyBytes = [System.Convert]::FromBase64String($Key)
$IVBytes = [System.Convert]::FromBase64String($IVector)
$aes = [System.Security.Cryptography.Aes]::Create()
$aes.Key = $KeyBytes
$aes.IV = $IVBytes
$encryptor = $aes.CreateEncryptor()
[System.Byte[]]$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Data)
$EncryptedBytes = $encryptor.TransformFinalBlock($Bytes,0,$bytes.Length)
$EncryptedBase64String = [System.Convert]::ToBase64String($EncryptedBytes)
Return $EncryptedBase64String
}
# Decrypt
Function Decrypt-Data {
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=0)]
[String]$Key,
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=1)]
[String]$IVector,
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=2)]
[String]$Data
)
$KeyBytes = [System.Convert]::FromBase64String($Key)
$IVBytes = [System.Convert]::FromBase64String($IVector)
$aes = [System.Security.Cryptography.Aes]::Create()
$aes.Key = $KeyBytes
$aes.IV = $IVBytes
$EncryptedBytes = [System.Convert]::FromBase64String($Data)
$Decryptor = $aes.CreateDecryptor()
$DecryptedBytes = $Decryptor.TransformFinalBlock($EncryptedBytes,0,$EncryptedBytes.Length)
$DecryptedString = [System.Text.Encoding]::Unicode.GetString($DecryptedBytes)
Return $DecryptedString
}
# Example
$Key = "/L5b+B9W1wS+dV2M2yD66W7V6..."
$IV = "+p7ppGLz7XOHR..."
$TextToEncrypt = "SuperSenstiveData"
$EncryptedText = Encrypt-Data -Data $TextToEncrypt -Key $Key -IVector $IV
$DecryptedText = Decrypt-Data -Data $EncryptedText -Key $Key -IVector $IV
#################################################
## ASYMMTRIC ENCRYPTION ##
## Using RSACng 3072-bit with SHA-384 padding ##
## Will encrypt maximum 286 bytes which in ##
## UTF-8 or ASCII will be up to 286 characters ##
## but in Unicode will be 143 ##
## Requires .Net Framework 4.6 minimum ##
#################################################
# Create the pub/prv key pair
$RSACNG = [System.Security.Cryptography.RSACng]::new(3072)
$ExportedPublicKey = $RSACNG.key.Export([System.Security.Cryptography.CngKeyBlobFormat]::GenericPublicBlob)
$ExportedPrivateKey = $RSACNG.key.Export([System.Security.Cryptography.CngKeyBlobFormat]::GenericPrivateBlob)
$PublicKey = [System.Convert]::ToBase64String($ExportedPublicKey)
$PrivateKey = [System.Convert]::ToBase64String($ExportedPrivateKey)
# Save the public and private keys and secure the public key
# Use the public key to encrypt and the private key to decrypt
# Encrypt
Function Encrypt-Data {
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=0)]
[String]$Data,
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=1)]
[String]$PublicKey
)
$PublicKeyBytes = [System.Convert]::FromBase64String($PublicKey)
[System.Byte[]]$DataBytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
$CNGPublicKey = [System.Security.Cryptography.CngKey]::Import($PublicKeyBytes,[System.Security.Cryptography.CngKeyBlobFormat]::GenericPublicBlob)
$Encryptor = [System.Security.Cryptography.RSACng]::new($CNGPublicKey)
$EncryptedBytes = $Encryptor.Encrypt($DataBytes,[System.Security.Cryptography.RSAEncryptionPadding]::OaepSHA384)
$EncryptedBase64String = [System.Convert]::ToBase64String($EncryptedBytes)
return $EncryptedBase64String
}
# Decrypt
Function Decrypt-Data {
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=0)]
[String]$Data,
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=1)]
[String]$PrivateKey
)
$PrivateKeyBytes = [System.Convert]::FromBase64String($PrivateKey)
$CNGPrivateKey = [System.Security.Cryptography.CngKey]::Import($PrivateKeyBytes,[System.Security.Cryptography.CngKeyBlobFormat]::GenericPrivateBlob)
$Decryptor = [System.Security.Cryptography.RSACng]::new($CNGPrivateKey)
$EncryptedBytes = [System.Convert]::FromBase64String($Data)
$DecryptedBytes = $Decryptor.Decrypt($EncryptedBytes,[System.Security.Cryptography.RSAEncryptionPadding]::OaepSHA384)
$DecryptedString = [System.Text.Encoding]::UTF8.GetString($DecryptedBytes)
return $DecryptedString
}
# Example
$PublicKey = "UlNBMQAMAAADAAAAgAEAAAAAAAAAAAAAAQABy2LZ..."
$TextToEncrypt = "SuperSenstiveData"
$EncryptedText = Encrypt-Data -Data $TextToEncrypt -PublicKey $PublicKey
$PrivateKey = "UlNBMgAMAAADAAAAgAEA...."
$DecryptedText = Decrypt-Data -Data $EncryptedText -PrivateKey $PrivateKey
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment