Sending Private (Encrypted) Messages


Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

Private (encrypted) messages can be sent when operating in a workgroup environment, however, you cannot set the privacy level of a message and have the source queue manager encrypt the message body for you.


Version Differences: MSMQ 1.0 does not provide the COM components needed to encrypt messages manually. When using the COM components provided by MSMQ 1.0, you must always allow Message Queuing to encrypt the message body for you. On the other hand, MSMQ 2.0 and later provide full encryption support. You can tell Message Queuing to encrypt the message body, or your application can encrypt the message body.

MSMQ 3.0 does not support sending Message Queuing-encrypted or application-encrypted messages to HTTP/HTTPS direct format names or multicast addresses.

To send an encrypted message, the client application must encrypt the body of the message itself. To do this the sending application must have an RC2 or RC4 symmetric key to encrypt the message body, as well as the public key of the receiving computer to encrypt the symmetric key. On the receiving side, the destination queue manager can decrypt the message only if the receiving computer is operating in domain mode.


Message Queuing supports RC2 and RC4 encryption algorithms. The encryption algorithm is specified when the symmetric key is created, used to encrypt the body of the message, then sent on to the receiving application in the encryption algorithm property (PROPID_M_ENCRYPTION_ALG or MSMQMessage.EncryptAlgorithm) of the message

Encryption Process

The following illustration shows the process needed to encrypt a message body.

<No Change>