KeyReference Class

Represents the <KeyReference> element used in XML encryption. This class cannot be inherited.

Namespace:  System.Security.Cryptography.Xml
Assembly:  System.Security (in System.Security.dll)

public sealed class KeyReference : EncryptedReference

The KeyReference class represents the <KeyReference> element that contains information about the location of an encrypted key.

Use the <KeyReference> element to refer to <EncryptedKey> elements that were encrypted using the key defined in the enclosing <EncryptedKey> element. You can use multiple <KeyReference> elements when multiple <EncryptedKey> elements exist that are encrypted using the same key.

You can include additional information such as XPath transforms, decompression transforms, or information about how to retrieve the elements from a document storage facility to aid the decrypting application.

For more information about XML encryption standards, see the XML Encryption specification, which is available from the World Wide Web Consortium (W3C) at

The following code example demonstrates how to use a KeyReference object while encrypting an XML document.

using System;
using System.Xml;
using System.Security.Cryptography;
using System.Security.Cryptography.Xml;

class Program
    static void Main(string[] args)

        // Create an XmlDocument object.
        XmlDocument xmlDoc = new XmlDocument();

        // Load an XML file into the XmlDocument object. 
            xmlDoc.PreserveWhitespace = true;
        catch (Exception e)

        // Create a new RSA key.  This key will encrypt a symmetric key, 
        // which will then be imbedded in the XML document.  
        RSA rsaKey = new RSACryptoServiceProvider();

            // Encrypt the "creditcard" element.
            Encrypt(xmlDoc, "creditcard", "EncryptedElement1", rsaKey, "rsaKey");

            // Encrypt the "creditcard2" element.
            Encrypt(xmlDoc, "creditcard2", "EncryptedElement2", rsaKey, "rsaKey");

            // Display the encrypted XML to the console.
            Console.WriteLine("Encrypted XML:");

            // Decrypt the "creditcard" element.
            Decrypt(xmlDoc, rsaKey, "rsaKey");

            // Display the encrypted XML to the console.
            Console.WriteLine("Decrypted XML:");
        catch (Exception e)
            // Clear the RSA key.



    public static void Encrypt(XmlDocument Doc, string ElementToEncrypt, string EncryptionElementID, RSA Alg, string KeyName)
        // Check the arguments.   
        if (Doc == null)
            throw new ArgumentNullException("Doc");
        if (ElementToEncrypt == null)
            throw new ArgumentNullException("ElementToEncrypt");
        if (EncryptionElementID == null)
            throw new ArgumentNullException("EncryptionElementID");
        if (Alg == null)
            throw new ArgumentNullException("Alg");
        if (KeyName == null)
            throw new ArgumentNullException("KeyName");

        // Find the specified element in the XmlDocument 
        // object and create a new XmlElemnt object. 

        XmlElement elementToEncrypt = Doc.GetElementsByTagName(ElementToEncrypt)[0] as XmlElement;

        // Throw an XmlException if the element was not found. 
        if (elementToEncrypt == null)
            throw new XmlException("The specified element was not found");


        // Create a new instance of the EncryptedXml class  
        // and use it to encrypt the XmlElement with the  
        // a new random symmetric key. 

        // Create a 256 bit Rijndael key.
        RijndaelManaged sessionKey = new RijndaelManaged();
        sessionKey.KeySize = 256;

        EncryptedXml eXml = new EncryptedXml();

        byte[] encryptedElement = eXml.EncryptData(elementToEncrypt, sessionKey, false);

        // Construct an EncryptedData object and populate 
        // it with the desired encryption information. 

        EncryptedData edElement = new EncryptedData();
        edElement.Type = EncryptedXml.XmlEncElementUrl;
        edElement.Id = EncryptionElementID;

        // Create an EncryptionMethod element so that the  
        // receiver knows which algorithm to use for decryption.

        edElement.EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncAES256Url);

        // Encrypt the session key and add it to an EncryptedKey element.
        EncryptedKey ek = new EncryptedKey();

        ek.Id = "keyID";

        byte[] encryptedKey = EncryptedXml.EncryptKey(sessionKey.Key, Alg, false);

        ek.CipherData = new CipherData(encryptedKey);

        ek.EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncRSA15Url);

        // Set the KeyInfo element to specify the 
        // name of the RSA key. 

        // Create a new KeyInfo element.
        edElement.KeyInfo = new KeyInfo();

        // Create a new KeyInfoName element.
        KeyInfoName kin = new KeyInfoName();

        // Specify a name for the key.
        kin.Value = KeyName;

        // Add the KeyInfoName element to the  
        // EncryptedKey object.

        // Create a new KeyReference object. 
        // Use the uri of the encrypted key.
        KeyReference kryRef = new KeyReference("#keyID");


        // Create a new DataReference element 
        // for the KeyInfo element.  This optional 
        // element specifies which EncryptedData  
        // uses this key.  An XML document can have 
        // multiple EncryptedData elements that use 
        // different keys.
        DataReference dRef = new DataReference();

        // Specify the EncryptedData URI. 
        dRef.Uri = "#" + EncryptionElementID;

        // Add the DataReference to the EncryptedKey.

        // Add the encrypted key to the  
        // EncryptedData object.

        edElement.KeyInfo.AddClause(new KeyInfoEncryptedKey(ek));

        // Add the encrypted element data to the  
        // EncryptedData object.
        edElement.CipherData.CipherValue = encryptedElement;

        // Replace the element from the original XmlDocument 
        // object with the EncryptedData element. 

        EncryptedXml.ReplaceElement(elementToEncrypt, edElement, false);


    public static void Decrypt(XmlDocument Doc, RSA Alg, string KeyName)
        // Check the arguments.   
        if (Doc == null)
            throw new ArgumentNullException("Doc");
        if (Alg == null)
            throw new ArgumentNullException("Alg");
        if (KeyName == null)
            throw new ArgumentNullException("KeyName");

        // Create a new EncryptedXml object.
        EncryptedXml exml = new EncryptedXml(Doc);

        // Add a key-name mapping. 
        // This method can only decrypt documents 
        // that present the specified key name.
        exml.AddKeyNameMapping(KeyName, Alg);

        // Decrypt the element.



// To run this sample, place the following XML 
// in a file called test.xml.  Put test.xml 
// in the same directory as your compiled program. 
//  <root> 
//     <creditcard xmlns="myNamespace" Id="tag1">
//         <number>19834209</number> 
//         <expiry>02/02/2002</expiry> 
//     </creditcard> 
//     <creditcard2 xmlns="myNamespace" Id="tag2">
//         <number>19834208</number> 
//         <expiry>02/02/2002</expiry> 
//     </creditcard2> 
// </root>


Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0, 2.0
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft