I just finished with an initial implementation of a custom encryption/decryption pipeline component for BizTalk Server 2006, which supports all the symmetric cryptography algorithms included with the .NET Framework's System.Security.Cryptography package: RC2, Rijndael, DES and 3DES.

Included in the component are both an encoder and decoder pipeline components so that you can both encrypt and decrypt messages from your custom pipelines. The encoder component does its work in a fully streaming fashion, while the decoder component decrypts into an intermediate in-memory buffer for now (see this for the reason).

For both encoder/decoder components, you just have to configure two different properties:


  • Algorithm: Specifies the symmetric crypto algorithm to encrypt/decrypt messages.
  • SsoConfigApp: Specifies the name of a Configuration Application in the Enterprise Single Sign-On ConfigStore that contains the Key and Initialization Vector to use for encryption/decryption. This way keys are stored securely inside the SSODB database.

Initially, I thought about using Jon Flander's excellent utility for storing configuration data in the SSO, but finally decided to code my own to avoid external dependencies (something I usually try to do for pipeline components as it makes deployment easier). Coding my own allowed me to also add a few things that should simplify deployment somewhat.

I provide a sample WinForms application that you can use to create/open/update/delete ConfigApps in the SSO to store keys and IVs securely. The application has the following features:


  1. The ConfigApp in SSO is created as a Config Store application, with two custom fields: CryptoKey and CryptoIV. Both are stored as Base64-encoded strings.
  2. The utility uses WMI to query the names of the BizTalk Administrators Group and the names of the user groups associated to each BizTalk Host. The admin and users groups in the SSO application are set to these values. I take advantage to a feature in SSO 3.0 which allows you to associate multiple groups as users of the SSO Application, so this way you don't need to create a new group just to have all application and isolated hosts access to the configuration data.
  3. Both the Key and IV as entered as a long string of hexadecimal digits. If you don't want to write your own, you can use the Generate buttons to automatically generate a Key/IV pair appropriate for the selected symmetric algorithm, which is done via the GenerateKey() and GenerateIV() methods of the specified SymmetricAlgorithm-derived class.
  4. Some basic validations are done on the key and IV you enter, such as ensuring it has a valid length according to the selected algorithm.

You can download the code for this component here. Included in the solution are both the pipeline component and the Winforms configuration application, as well as a messaging-only sample use of both encoder and decoder components.

Tomas Restrepo

Software developer located in Colombia. Sr. PFE at Microsoft.