How to: Encrypt XML Elements with X.509 Certificates
You can use the classes in thenamespace to encrypt an element within an XML document. XML Encryption is a standard way to exchange or store encrypted XML data, without worrying about the data being easily read. For more information about the XML Encryption standard, see the World Wide Web Consortium (W3C) specification for XML Encryption located at http://www.w3.org/TR/xmldsig-core/.
You can use XML Encryption to replace any XML element or document with an <EncryptedData> element that contains the encrypted XML data. The <EncryptedData> element can contain sub elements that include information about the keys and processes used during encryption. XML Encryption allows a document to contain multiple encrypted elements and allows an element to be encrypted multiple times. The code example in this procedure shows you how to create an <EncryptedData> element along with several other sub elements that you can use later during decryption.
This example encrypts an XML element using two keys. It generates a test X.509 certificate using theand saves the certificate to a certificate store. The example then programmatically retrieves the certificate and uses it to encrypt an XML element using the method. Internally, the Encrypt method creates a separate session key and uses it to encrypt the XML document. This method encrypts the session key and saves it along with the encrypted XML within a new <EncryptedData> element.
To decrypt the XML element, simply call themethod, which automatically retrieves the X.509 certificate from the store and performs the necessary decryption. For more information about how to decrypt an XML element that was encrypted using this procedure, see .
This example is appropriate for situations where multiple applications need to share encrypted data or where an application needs to save encrypted data between the times that it runs.
To encrypt an XML element with an X.509 certificate
Use theto generate a test X.509 certificate and place it in the local user store. You must generate an exchange key and you must make the key exportable. Run the following command:
makecert -r -pe -n "CN=XML_ENC_TEST_CERT" -b 01/01/2005 -e 01/01/2010 -sky exchange -ss my
Create anobject and initialize it to open the current user store.
Open the store in read-only mode.
Initialize anwith all of the certificates in the store.
Enumerate through the certificates in the store and find the certificate with the appropriate name. In this example, the certificate is named "CN=XML_ENC_TEST_CERT".
Close the store after the certificate is located.
Create anobject by loading an XML file from disk. The XmlDocument object contains the XML element to encrypt.
Find the specified element in the XmlDocument object and create a newobject to represent the element you want to encrypt. In this example, the "creditcard" element is encrypted.
Create a new instance of theclass and use it to encrypt the specified element using the X.509 certificate. The Encrypt method returns the encrypted element as an object.
Replace the element from the original XmlDocument object with the EncryptedData element.
Save the XmlDocument object.
This example assumes that a file named "test.xml" exists in the same directory as the compiled program. It also assumes that "test.xml" contains a "creditcard" element. You can place the following XML into a file called test.xml and use it with this example.
<root> <creditcard> <number>19834209</number> <expiry>02/02/2002</expiry> </creditcard> </root>
Compiling the Code
To compile this example, you need to include a reference to System.Security.dll.
Include the following namespaces:, , and System.Security.Cryptography.Xml.
The X.509 certificate used in this example is for test purposes only. Applications should use an X.509 certificate generated by a trusted certificate authority or use a certificate generated by the Microsoft Windows Certificate Server.