locked
AES 256 Encryption in Biztalk RRS feed

  • Question

  • Hi All,

    Can someone please explain me how to do AES 256 encryption (for outbound files) in Biztalk ?  I am quite new to encryption stuff. What does AES 256 encryption really mean ? And what is required in Biztalk to achieve it ?

    Are there public private keys required to be issued by someone ? Or they are generated locally ? If there are 10 different systems receiving different files , should there be 10 keys generated (or need to be issued ) ?

    Will this encryption be done in Biztalk Send Pipeline (is it performance taxing ) ?

    Thanks a lot for throwing light on this topic.

    Regards

    Wednesday, May 24, 2017 1:44 PM

Answers

  • We need a bit more detail to give you accurate guidance.

    AES encryption is a cipher for encrypting data, but arbitrarily encrypting data isn't usually how things are done.  Normally we would use a transport mechanism or wrapper that will provide encryption, e.g. HTTPS can be secured using various encryption suites.

    If you really do want to just encrypt binary data and dump the result in a file, I think you'll have to do that in a custom pipeline component as the File Adapter doesn't provide native support for it.

    Take a look at System.Security.Cryptography.AesManaged class for encrypting data yourself.


    If this is helpful or answers your question - please mark accordingly.
    Because I get points for it which gives my life purpose (also, it helps other people find answers quickly)

    • Marked as answer by NdBot Sunday, October 1, 2017 7:30 PM
    Wednesday, May 31, 2017 8:25 AM
  • Encryption when files are at rest...All this needs to be done using AES-256

    So, first, sure, this is not an uncommon requirement, but...it seems this hasn't been fully considered by whoever is driving this request.  Meaning, they heard or read this was a good idea and are making the request without fully understanding what they're asking for.

    The best and most common way to achieve this is by simply enabling file system encryption on the volume where the files are being stored.  On Windows, this is the Encrypting File System feature of NTFS.  This protects against access to the physical device.*

    If they end up insisting on actually encrypting the files individually, the most common solution I have seen, and implemented, is PGP.  Here are Pipeline Components that handle PGP: https://code.msdn.microsoft.com/windowsdesktop/BizTalk-Sample-PGP-ebcbc8b2

    To remind, you don't just 'encrypt with AES256'.  While there are solutions to using AES256 with files, it's not really common, at least I have never actually seen or even heard of anyone doing this.

    *If someone penetrates your system to the point where they can access the files, you've got much bigger problems.

    • Marked as answer by NdBot Sunday, October 1, 2017 7:30 PM
    Wednesday, May 31, 2017 12:37 PM
    Moderator

All replies

  • You really don't just 'use AES' since is usually part of a larger spec.  Can you describe exactly what you're trying to do?

    AES-256 is an option with AS/2.

    Wednesday, May 24, 2017 9:52 PM
    Moderator
  • AES  is for signature keys in AS2, RosettaNet, and the MIME/SMIME encoder

    https://msdn.microsoft.com/en-us/library/mt670742.aspx?f=255&MSPPError=-2147217396

    Thursday, May 25, 2017 10:59 AM
  • Thanks for your reply.  What is told is - Biztalk (or at Biztalk level)  - we should generate our own AES - 256 Keys & share to generated key with vendor. So when file is sent to them encrypted , they can use the key to decrypt it.

    Is this possible using Biztalk 2013 R2 ? How to generate keys ? 

    Friday, May 26, 2017 10:52 AM
  • Thanks for your reply.  What is told is - Biztalk (or at Biztalk level)  - we should generate our own AES - 256 Keys & share to generated key with vendor. So when file is sent to them encrypted , they can use the key to decrypt it.

    Is this possible using Biztalk 2013 R2 ? How to generate keys ? 

    Friday, May 26, 2017 10:52 AM
  • Which protocol? How do you want to transfer the message to the vendor?

    Yes BizTalk can encrypt (and sign) messages using certificates


    Friday, May 26, 2017 11:54 AM
  • So, again, you and you Trading Partner need to first agree on a protocol.  There's lots of ways to use keys and encryption.

    AS/2, MIME, PGP, something else...???  

    Friday, May 26, 2017 11:43 PM
    Moderator
  • Thanks for reply.

    Here I am talking about Encryption when files are at rest (eg: lying in a folder location).  Can we "generate" own keys and encrypt the files while writing them to a folder location , so they are encrypted at rest.

    All this needs to be done using AES-256 . How to achieve that using Biztalk Server 2013 R2.  Thanks in advance for replies. 

    Tuesday, May 30, 2017 6:47 AM
  • Sure, you can encrypt the files with AES-256. But as several previous posts has pointed out, there's lots of software using AES-256.

    Do you want to use S/MIME? AS2? PGP? A proprietary protocol?


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Tuesday, May 30, 2017 9:00 AM
  • We need a bit more detail to give you accurate guidance.

    AES encryption is a cipher for encrypting data, but arbitrarily encrypting data isn't usually how things are done.  Normally we would use a transport mechanism or wrapper that will provide encryption, e.g. HTTPS can be secured using various encryption suites.

    If you really do want to just encrypt binary data and dump the result in a file, I think you'll have to do that in a custom pipeline component as the File Adapter doesn't provide native support for it.

    Take a look at System.Security.Cryptography.AesManaged class for encrypting data yourself.


    If this is helpful or answers your question - please mark accordingly.
    Because I get points for it which gives my life purpose (also, it helps other people find answers quickly)

    • Marked as answer by NdBot Sunday, October 1, 2017 7:30 PM
    Wednesday, May 31, 2017 8:25 AM
  • Encryption when files are at rest...All this needs to be done using AES-256

    So, first, sure, this is not an uncommon requirement, but...it seems this hasn't been fully considered by whoever is driving this request.  Meaning, they heard or read this was a good idea and are making the request without fully understanding what they're asking for.

    The best and most common way to achieve this is by simply enabling file system encryption on the volume where the files are being stored.  On Windows, this is the Encrypting File System feature of NTFS.  This protects against access to the physical device.*

    If they end up insisting on actually encrypting the files individually, the most common solution I have seen, and implemented, is PGP.  Here are Pipeline Components that handle PGP: https://code.msdn.microsoft.com/windowsdesktop/BizTalk-Sample-PGP-ebcbc8b2

    To remind, you don't just 'encrypt with AES256'.  While there are solutions to using AES256 with files, it's not really common, at least I have never actually seen or even heard of anyone doing this.

    *If someone penetrates your system to the point where they can access the files, you've got much bigger problems.

    • Marked as answer by NdBot Sunday, October 1, 2017 7:30 PM
    Wednesday, May 31, 2017 12:37 PM
    Moderator