powershell asymmetric encrypt/decrypt functions
I wasn't able to find good powershell functions to utilize asymmetric encryption so I created the following. Would like any feedback in terms of improvement as I'm a crypto noob. With the caveat that these functions are very basic. There isn't error checking and the write-host after a decrypt is hardly necessary. Just want to establish the core functionality before adding things like protected memory and such.
This has been successfully tested on two systems: Win8 w/Powershell v3 & Win2008R2 w/Powershell v2.
Function Encrypt-Asymmetric([string]$Encrypt,[string]$CertPath,[string]$XmlExportPath)
{
# Encrypts a string with a public key
$pubcer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath)
$byteval = [System.Text.Encoding]::UTF8.GetBytes($Encrypt)
$pubcer.PublicKey.Key.Encrypt($byteval,$true) | Export-Clixml -Path $XmlExportPath
}
Function Decrypt-Asymmetric([string]$XmlPath,[string]$CertThumbprint)
{
# Decrypts cipher text using the private key
# Assumes the certificate is in the LocalMachine store
$store = new-object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
$store.open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$cer = $store.Certificates | %{if($_.thumbprint -eq $CertThumbprint){$_}}
$ciphertext = Import-Clixml -Path $XmlPath
$decryptedBytes = $cer.PrivateKey.Decrypt($ciphertext,$true)
$ClearText = [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
Write-Host $ClearText
}
Answer
I know this is old. I took the starting point you had here and added some items. I tried to clean where appropriate and use variable names that might help make things a little more easier for someonelse that reads this to understand.
Encryption:
Function Encrypt-Asymmetric {
[CmdletBinding()]
[OutputType([System.String])]
param(
[Parameter(Position=0, Mandatory=$true)][ValidateNotNullOrEmpty()][System.String]
$ClearText,
[Parameter(Position=1, Mandatory=$true)][ValidateNotNullOrEmpty()][ValidateScript({Test-Path $_ -PathType Leaf})][System.String]
$PublicCertFilePath
)
# Encrypts a string with a public key
$PublicCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($PublicCertFilePath)
$ByteArray = [System.Text.Encoding]::UTF8.GetBytes($ClearText)
$EncryptedByteArray = $PublicCert.PublicKey.Key.Encrypt($ByteArray,$true)
$EncryptedBase64String = [Convert]::ToBase64String($EncryptedByteArray)
Return $EncryptedBase64String
}
Decryption:
Function Decrypt-Asymmetric
{
[CmdletBinding()]
[OutputType([System.String])]
param(
[Parameter(Position=0, Mandatory=$true)][ValidateNotNullOrEmpty()][System.String]
$EncryptedBase64String,
[Parameter(Position=1, Mandatory=$true)][ValidateNotNullOrEmpty()][System.String]
$CertThumbprint
)
# Decrypts text using the private key
# Assumes the certificate is in the LocalMachine\My (Personal) Store
$Cert = Get-ChildItem cert:\LocalMachine\My | where { $_.Thumbprint -eq $CertThumbprint }
if($Cert) {
$EncryptedByteArray = [Convert]::FromBase64String($EncryptedBase64String)
$ClearText = [System.Text.Encoding]::UTF8.GetString($Cert.PrivateKey.Decrypt($EncryptedByteArray,$true))
}
Else {Write-Error "Certificate with thumbprint: $CertThumbprint not found!"}
Return $ClearText
}