Encrypting Content

[The AD RMS SDK leveraging functionality exposed by the client in Msdrm.dll is available for use in Windows Server 2008, Windows Vista, Windows Server 2008 R2, Windows 7, Windows Server 2012, and Windows 8. It may be altered or unavailable in subsequent versions. Instead, use Active Directory Rights Management Services SDK 2.1, which leverages functionality exposed by the client in Msipc.dll.]

The Active Directory Rights Management Services (AD RMS) SDK uses the Advanced Encryption Standard (AES) algorithm and the electronic code book (ECB) cipher mode to encrypt content. The key size is 128 bits, and data is encrypted in 16-byte blocks. To encrypt content, the computer and user must be activated, and you must acquire a signed issuance license. The code example discussed later in this documentation encrypts an item of plaintext and writes the encrypted content and the signed issuance license to a custom file. The Decrypting Content Code Example reads the encrypted content from the file and decrypts it. For more information about encryption, see the following topics.

Topic Description
Owner License Discusses the typical structure of an owner (end-user) license that can be used to encrypt content.
Owner License Store Identifies the local certificate store where AD RMS copies the owner license.
Owner License XML Example Contains an XrML owner license example.
Encrypting Content Code Example Presents a detailed code example that encrypts an item of content.


In Windows 7, you can perform AES cipher-block chaining (CBC) encryption. One of the key features of CBC is the use of a chaining mechanism that ensures that blocks containing identical plain-text values will not produce identical cipher-text values. See the wszSymKeyType parameter of DRMGetSignedIssuanceLicense or DRMEncrypt to see how to perform CBC encryption on AD RMS protected content.


Activating a Computer

Activating a User

Decrypting Content

Using the AD RMS SDK