Encrypt And Decrypt Data By Using Certificates With PowerShell (Public Key / Private Key)

Tutorials & Methods
, , , ,
1

There are many encryption and decryption tools around. PowerShell is a Windows built-in tool and you can use it for cryptography as well. In this blog post I am going to play with encryption and decryption of data. My followers know what’s coming next: I don’t care much of 3rd party tools and yes, of course, I am going to use only Windows PowerShell.

Introduction

First of all we need a certificate. This certificate will include a private key and public key. With the private key we can decrypt data. With the public key we can encrypt data. This means if someone has my public key (I can give it to someone without any worries) he can encrypt data which is addressed to me. And I am the only one on this planet who can decrypt it. Because I am the only one who has the private key.

image
image916×404 80 KB

Creating a Certificate with New-SelfSignedCertificate

First I create a code-signing certificate with PowerShell. Name it whatever you want.

New-SelfSignedCertificate` `-DnsName` `pewa2303` `-CertStoreLocation` `"Cert:\CurrentUser\My"` `-KeyUsage` `KeyEncipherment,DataEncipherment, KeyAgreement` `-Type` `DocumentEncryptionCert

image
image998×297 79.3 KB

To view the certificate run certmgr.msc.

certmgr.msc

image
image998×288 72.1 KB

Oh, what a shame. I’ve promised I will use only PowerShell. Ok, ok here’s the command for showing your cert in PowerShell:

Get-Childitem` `-Path` `Cert:\CurrentUser\My` `-DocumentEncryptionCert

image
image998×203 52.6 KB

Memorize the Subject Name of your certificate. We’ll need it in the next step.

Encrypting Data

The Protect-CmsMessage cmdlet encrypts content. Make sure, you’re running PowerShell 5.0 or above.

( Get-Host ).Version.Major

image
image996×92 12.5 KB

Pay attention to the To Parameter. You have to provide your certificate name there. The name of my certificate is cn=pewa2303. The encrypted data will be stored in a file.

"This is a secret message"` `| Protect-CmsMessage` `-To` `cn=pewa2303` `-OutFile` `C:\Temp\secret.txt

Once completed, open the file with Notepad to see what happened. Nice code

image
image1000×319 123 KB

Decryption of Data

To decrypt the encrypted data run Unprotect-CmsMessage. Make sure you are logged in with the user account that created the certificate and has the private key.

image

Unprotect-CmsMessage -Path C:\Temp\secret.txt

image
image992×92 22.7 KB

Nice one.

What happens when another user trys to open the file? Petra is not able to decrypt the data. She does not have the private key.

image
image998×320 122 KB

Unprotect-CmsMessage : The enveloped-data message does not contain the
specified recipient.

Happy learning!

3 Likes