How to: Decrypt XML Elements with X.509 Certificates

You can use the classes in the System.Security.Cryptography.Xml namespace to encrypt and decrypt an element within an XML document. XML Encryption is a standard way to exchange or store encrypted XML data, without worrying about the data being easily read. For more information about the XML Encryption standard, see the World Wide Web Consortium (W3C) specification for XML Encryption located at

This example decrypts an XML element that was encrypted using the methods described in: How to: Encrypt XML Elements with X.509 Certificates. It finds an <EncryptedData> element, decrypts the element, and then replaces the element with the original plaintext XML element.

The code example in this procedure decrypts an XML element using an X.509 certificate from the local certificate store of the current user account. The example uses the DecryptDocument method to automatically retrieve the X.509 certificate and decrypt a session key stored in the <EncryptedKey> element of the <EncryptedData> element. The DecryptDocument method then automatically uses the session key to decrypt the XML element.

This example is appropriate for situations where multiple applications need to share encrypted data or where an application needs to save encrypted data between the times that it runs.

To decrypt an XML element with an X.509 certificate

  1. Create an XmlDocument object by loading an XML file from disk. The XmlDocument object contains the XML element to decrypt.

    XmlDocument xmlDoc = new XmlDocument();
    Dim xmlDoc As New XmlDocument()
  2. Create a new EncryptedXml object by passing the XmlDocument object to the constructor.

    EncryptedXml exml = new EncryptedXml(Doc);
    Dim exml As New EncryptedXml(Doc)
  3. Decrypt the XML document using the DecryptDocument method.

  4. Save the XmlDocument object.



This example assumes that a file named "test.xml" exists in the same directory as the compiled program. It also assumes that "test.xml" contains a "creditcard" element. You can place the following XML into a file called test.xml and use it with this example.

using System;
using System.Xml;
using System.Security.Cryptography;
using System.Security.Cryptography.Xml;
using System.Security.Cryptography.X509Certificates;

class Program
    static void Main(string[] args)
            // Create an XmlDocument object.
            XmlDocument xmlDoc = new XmlDocument();

            // Load an XML file into the XmlDocument object.
            xmlDoc.PreserveWhitespace = true;

            // Decrypt the document.

            // Save the XML document.

            // Display the decrypted XML to the console.
            Console.WriteLine("Decrypted XML:");

        catch (Exception e)


    public static void Decrypt(XmlDocument Doc)
        // Check the arguments.  
        if (Doc == null)
            throw new ArgumentNullException("Doc");

        // Create a new EncryptedXml object.
        EncryptedXml exml = new EncryptedXml(Doc);

        // Decrypt the XML document.

Imports System
Imports System.Xml
Imports System.Security.Cryptography
Imports System.Security.Cryptography.Xml
Imports System.Security.Cryptography.X509Certificates

Module Program

    Sub Main(ByVal args() As String)
            ' Create an XmlDocument object.
            Dim xmlDoc As New XmlDocument()
            ' Load an XML file into the XmlDocument object.
            xmlDoc.PreserveWhitespace = True

            ' Decrypt the document.

            ' Save the XML document.
            ' Display the decrypted XML to the console.
            Console.WriteLine("Decrypted XML:")

        Catch e As Exception
        End Try

    End Sub

    Sub Decrypt(ByVal Doc As XmlDocument)
        ' Check the arguments.  
        If Doc Is Nothing Then
            Throw New ArgumentNullException("Doc")
        End If

        ' Create a new EncryptedXml object.
        Dim exml As New EncryptedXml(Doc)
        ' Decrypt the XML document.
    End Sub
End Module

Compiling the Code

.NET Framework Security

The X.509 certificate used in this example is for test purposes only. Applications should use an X.509 certificate generated by a trusted certificate authority or use a certificate generated by the Microsoft Windows Certificate Server.

See Also

How to: Encrypt XML Elements with X.509 Certificates