How to generate persisted key for AES

Question

In the .NET Framework 4.6.2 Microsoft added support for persisted-key symmetric encryption using a CNG key storage provider and the AesCng algorithm. The documentation for instantiating the AesCng class using an existing key is pretty clear - just pass the key name into the constructor.

But how do I generate a new persisted key to use for AES encryption? I can't find the instructions in the release notes or the documentation. Is this even possible from C#?

Have you tried calling the constructor using just a key name and then calling `GenerateKey`? And yes, the Microsoft crypto-API documentation is certainly foobar. — Maarten Bodewes, Jul 21 '17 at 07:26
Yes. The constructor throws CryptographicException 'Keyset does not exist'. — Matt Varblow, Jul 21 '17 at 12:07

score 3 · Accepted Answer · answered Jul 21 '17 at 12:21

3

While not documented well, this turns out to be very easy to do. You just use the CngKey.Create method. The difficulty is that there is no CngAlgorithm property for AES encryption. This looks like an oversight from the .NET Framework team at Microsoft. However, you can construct your own CngAlgorithm by name:

    public static string CreateKey(string name)
    {
        CngKey.Create(new CngAlgorithm("AES"), name);
    }

See also: Asymetric cryptography example in c#

answered Jul 21 '17 at 12:21

Matt Varblow

7,651
3
34
44

1

Great, thanks for reporting back! Unfortunately I've thrown Microsoft many hints on improving their documentation (none were acted upon it seems); it remains extremely sparse. – Maarten Bodewes Jul 21 '17 at 14:20

How to generate persisted key for AES

1 Answers1

Linked