Skip to main content

Unable to set export policy property for a persisted RSA private key which is imported from a key blob RRS feed

  • Question

  • Hi MSFT,

     I am struggling with a tough question when using CNG Key Storage Functions to import a RSA private key from a key blob.

    My requirement is:

    (1) Machine A create a persisted RSA key pair and export the private key as a keyblob in plain text format. (I have set NCRYPT_EXPORT_POLICY_PROPERTY to NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG during creating the RSA key pair)

    (2) On Machine B, I get the keyblob from MachineA and import it to Machine B by NCryptImportKey function, with parameter list as below to make sure the key imported as persisted key:

    LPCWSTR name = L"Test";  //Persisted Key Name
    NCryptBuffer nCryptBuffer;
    nCryptBuffer.BufferType = NCRYPTBUFFER_PKCS_KEY_NAME;
    nCryptBuffer.cbBuffer = sizeof( L"Test");
    nCryptBuffer.pvBuffer = (PVOID)name;

    ParameterList.ulVersion = NCRYPTBUFFER_VERSION;
    ParameterList.cBuffers = 1; //Only Name
    ParameterList.pBuffers = &nCryptBuffer; 

    After calling NCryptImportKey , the key was imported as persisted key successfully.

    (I am able to find the key by NCryptEnumKeys function)

    (3) On Machine B, I am NOT able to export the persisted key (which was imported from Machine A's key blob).

    I tried to get the key's (Imported from keyblob) NCRYPT_EXPORT_POLICY_PROPERTY property using NCryptGetProperty function and found that the value is 0, so does that mean the RSA private key cannot be exported?

    My question is: how to export the RSA private key (if the RSA private key is imported from a key blob)  ?

    As I know, export policy and key name cannot be saved in key blob,

    and NCRYPT_OPAQUETRANSPORT_BLOB doesn't meet my requirement,

    any way to set NCRYPT_EXPORT_POLICY_PROPERTY property before importing it?

    BTW:I need silent mode export. 

    Qiusheng Xie

    • Edited by Qiusheng Xie Friday, April 13, 2012 11:03 PM More Info
    Friday, April 13, 2012 2:42 PM


  • Pass in the NCRYPT_DO_NOT_FINALIZE_FLAG on the flags parameter to NCryptImportKey.

    Then call NCryptSetProperty to explicitly set the export policy for the key you just imported.

    Then call NCryptFinalizeKey.

    Since you need silent mode then don't forget to pass in NCRYPT_SILENT_FLAG.


    • Edited by Andrew Bernat Tuesday, April 17, 2012 7:38 PM
    • Marked as answer by Qiusheng Xie Wednesday, April 18, 2012 12:59 AM
    Tuesday, April 17, 2012 7:38 PM