Cmdlets

Choose a cmdlet from the list on the left or search for a specific cmdlet. Choose a cmdlet from the list or search for a specific cmdlet.
About Help  Providers
 

Protect-CmsMessage

Protect-CmsMessage

microsoft.powershell.security.dll

Synopsis

Encrypts content by using the Cryptographic Message Syntax format.

Syntax

Protect-CmsMessage [-To] [-Content] [-OutFile] [<CommonParameters>]

Protect-CmsMessage [-To] [-LiteralPath] [-OutFile] [<CommonParameters>]

Protect-CmsMessage [-To] [-Path] [-OutFile] [<CommonParameters>]

Detailed Description

The Cryptographic Message Syntax cmdlets support encryption and decryption of content using the IETF standard format for cryptographically protecting messages, as documented by RFC5652.

The CMS encryption standard uses public key cryptography, where the keys used to encrypt content (the public key) and the keys used to decrypt content (the private key) are separate. Your public key can be shared widely, and is not sensitive data. If any content is encrypted with this public key, only your private key can decrypt it. For more information about Public Key Cryptography, see http://en.wikipedia.org/wiki/Public-key_cryptography.

Before you can run the Protect-CmsMessage cmdlet, you must have an encryption certificate set up. To be recognized in Windows PowerShell, encryption certificates require a unique extended key usage (EKU) identifier to identify them as data encryption certificates (such as the identifiers for Code Signing and Encrypted Mail). For an example of a certificate that would work for document encryption, see Example 1 in this topic.

Parameters

-Content <PSObject>

Specifies a PSObject that contains content that you want to encrypt. For example, you can encrypt the content of an event message, and then use the variable containing the message ($event, in this example) as the value of the Content parameter: $event = Get-WinEvent -ProviderName "PowerShell" -MaxEvents 1. You could also run the Get-Content cmdlet to get the contents of a file, such as a Microsoft Word document, and save the content in a variable that you use as the value of the Content parameter.

Aliases

None

Required?

true

Position

2

Default value

Accept pipeline input?

True (ByValue)

Accept wildcard characters?

false

-LiteralPath <String>

Specifies the path to content that you want to encrypt. Unlike Path, the value of LiteralPath is used exactly as it is typed. No characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks. Single quotation marks tell Windows PowerShell not to interpret any characters as escape sequences.

Aliases

None

Required?

true

Position

2

Default value

Accept pipeline input?

false

Accept wildcard characters?

false

-OutFile <String>

Specifies the path and file name of a file to which you want to send the encrypted content.

Aliases

None

Required?

false

Position

3

Default value

Accept pipeline input?

false

Accept wildcard characters?

false

-Path <String>

Specifies the path to content that you want to encrypt.

Aliases

None

Required?

true

Position

2

Default value

Accept pipeline input?

false

Accept wildcard characters?

false

-To <CmsMessageRecipient[]>

Specifies one or more CMS message recipients, identified in any of the following formats.

-- An actual certificate (as retrieved from the certificate provider)

-- Path to the a file containing the certificate

-- Path to a directory containing the certificate

-- Thumbprint of the certificate (used to look in the certificate store)

-- Subject name of the certificate (used to look in the certificate store)

Aliases

None

Required?

true

Position

1

Default value

Accept pipeline input?

false

Accept wildcard characters?

false

Input Type


Return Type


Notes

None

Examples

Example 1: Create a certificate for encrypting content

Before you can run the Protect-CmsMessage cmdlet, you must have an encryption certificate set up. Change the text in the Subject line to your name, email, or other identifier, and save the certificate in a file (such as DocumentEncryption.inf, as shown in this example).

PS C:\>[Version]
Signature = "$Windows NT$"

[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1"

[NewRequest]
Subject = "cn=youralias@emailaddress.com"
MachineKeySet = false
KeyLength = 2048
KeySpec = AT_KEYEXCHANGE
HashAlgorithm = Sha1
Exportable = true
RequestType = Cert
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE"
ValidityPeriod = "Years"
ValidityPeriodUnits = "1000"

[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_DOCUMENT_ENCRYPTION%"

After you have created the certificate file, run the following command to add the certificate file to the certificate store.Now you are ready to encrypt and decrypt content.
PS C:\>certreq -new DocumentEncryption.inf DocumentEncryption.cer

Example 2: Encrypt a message sent by email

In the following example, you encrypt a message, Hello World, by saving the message in a variable, and then piping it to the Protect-CmsMessage cmdlet. The To parameter is using the value of the Subject line in the certificate.

PS C:\>$protected = "Hello World" | Protect-CmsMessage -To "*youralias@emailaddress.com*"

Example 3: View document encryption certificates

To view document encryption certificates in the certificate provider, you can add the DocumentEncryptionCert dynamic parameter of Get-ChildItem, available only when the certificate provider is loaded.

PS C:\>58 [Cert:\currentuser\my]
>> Get-ChildItem -DocumentEncryptionCert

Online Version
about_Providers
Get-CmsMessage
Unprotect-CmsMessage