Cyber Security

PowerShell: Encrypt and Decrypt Data by using Certificates (Public Key / Private Key)

By on ( 20 Comments )

There are many encryption and decryption tools around. PowerShell is a Windows built-in tool and you can use it for cryptography as well. In this blog post I am going to play with encryption and decryption of data. My followers know what’s coming next: I don’t care much of 3rd party tools and yes, of course, I am going to use only Windows PowerShell. :mrgreen:

Introduction

First of all we need a certificate. This certificate will include a private key and public key. With the private key we can decrypt data. With the public key we can encrypt data. This means if someone has my public key (I can give it to someone without any worries) he can encrypt data which is addressed to me. And I am the only one on this planet who can decrypt it. Because I am the only one who has the private key.

Unbenannt.PNG

Creating a Certificate with New-SelfSignedCertificate

First I create a code-signing certificate with PowerShell. Name it whatever you want.


New-SelfSignedCertificate -DnsName pewa2303 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsage KeyEncipherment,DataEncipherment, KeyAgreement -Type DocumentEncryptionCert

Unbenannt.PNG

To view the certificate run certmgr.msc.


certmgr.msc

Unbenannt.PNG

Oh, what a shame. 😳 I’ve promised I will use only PowerShell. Ok, ok here’s the command for showing your cert in PowerShell:


Get-Childitem -Path Cert:\CurrentUser\My -DocumentEncryptionCert

Unbenannt.PNG

Memorize the Subject Name of your certificate. We’ll need it in the next step.

Encrypting Data

The Protect-CmsMessage cmdlet encrypts content. Make sure, you’re running PowerShell 5.0 or above.


(Get-Host).Version.Major

Unbenannt.PNG

Pay attention to the To Parameter. You have to provide your certificate name there. The name of my certificate is cn=pewa2303. The encrypted data will be stored in a file.


"This is a secret message" | Protect-CmsMessage -To cn=pewa2303 -OutFile C:\Temp\secret.txt

Once completed, open the file with Notepad to see what happened. Nice code 😉

Unbenannt.PNG

Decryption of Data

To decrypt the encrypted data run Unprotect-CmsMessage. Make sure you are logged in with the user account that created the certificate and has the private key.

Unbenannt.PNG


Unprotect-CmsMessage -Path C:\Temp\secret.txt

Unbenannt.PNG

Nice one.

What happens when another user trys to open the file? Petra is not able to decrypt the data. She does not have the private key.

Unbenannt.PNG

Unprotect-CmsMessage : The enveloped-data message does not contain the
specified recipient.

See also

See also my other security-related PowerShell articles …

How to digitally sign PowerShell Scripts

Monitoring Windows PowerShell: Enable Module Logging

Windows Server 2016: Configuring Time based Group Membership with PowerShell

Categories: Cyber Security, PowerShell, Windows 10, Windows Server

Tagged as: , , , , ,

Published by Patrick Gruenauer

Microsoft MVP on PowerShell [2018-2023], IT-Trainer, IT-Consultant, MCSE: Cloud Platform and Infrastructure, Cisco Certified Academy Instructor.

20 replies »

  1. Pingback: Microsoft 365: Send E-Mails with PowerShell – SID-500.COM
  2. Pingback: Add a Layer of Security to Your Docker Environment Variables Without Swarm - Kernel Manic

  3. Hi,
    Tanks for your article

    I just have RSA public key and i want to encrypt plain text. but i can not find any solution for it in powershell. as you mentioned, we have to create certificate and use it for encrypt/decrypt. while i just have public key.
    i will so happy if you help me.

    Regards

    Liked by 1 person

    Reply
  4. Pingback: EncryptFiles.ps1: Tool for encrypting File Content with PowerShell and Certificates – SID-500.COM
  5. Pingback: PowerShell: Alert me when Disk Space is running low on my Windows Servers (E-Mail Notification) – SID-500.COM

  6. Hi. I managed to break the file used in encryption .. What I was trying to do is un-encrypting the file “secreat.txt” and then writing the unencrypted content to the same file so I used below command
    Unprotect-CmsMessage -Path C:\temp\secreat.txt | Out-File C:\temp\secreat.txt

    By doing this I lost the content in the file… DO you know why it happened and how to bring back my file 🙂

    Like

    Reply

      • You could write the output to another location, eg: Unprotect-CmsMessage -Path C:\Temp\secret.txt > C:\Temp\output.txt
        however, if you do that for the same file i.e. Unprotect-CmsMessage -Path C:\Temp\secret.txt > C:\Temp\secret.txt, you will get an error saying ” The process cannot access the file ‘C:\Temp\secret.txt’ because it is being used by another process”

        Liked by 1 person

  7. Pingback: If you have mastered PowerShell, you don’t need these 3rd Party Tools anymore – SID-500.COM
  8. Pingback: How does HTTPS (SSL) encryption works? « SID-500

    • Hi,

      Thanks for your article !

      In my case, i can create the certificate on windows 2008, 2012, but it doesn’t works for decryption !

      Also, New-SelfSignedCertificate command doesn’t accept -type option on OS W2K8, W2K12

      I have find the solution, you must create certificate on Windows 2016 Server with this command :

      This exemple below will create certificate for 2 years, note the -type option (-Type DocumentEncryptionCertLegacyCsp) that’s enough to decrypt the secret with Unprotect-Cmsmessage cmdlet

      New-SelfSignedCertificate -DnsName “Cert” -CertStoreLocation “cert:\LocalMachine\My” -Type DocumentEncryptionCertLegacyCsp -KeyLength 2048 -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(2)

      Regards

      Liked by 1 person

      Reply

Leave a Reply to pewa2303 Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.