Message Encryption


Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

Message Queuing provides a secured channel for sending private, 40-bit or 128-bit encrypted messages throughout your enterprise. When private messages are sent, Message Queuing ensures that the body of the messages are kept encrypted from the moment they leave the source queue manager to the moment they reach their destination queue manager. An encrypted message can be decrypted only by the destination queue manager or a connector application.


The privacy level (PROPID_Q_PRIV_LEVEL or MSMQQueueInfo.PrivLevel) of a queue can also be set so that the queue will accept only private messages. If the privacy level of the sent message does not correspond to the privacy level of the queue, the message is rejected by the queue, and, if the sending application requested a negative acknowledgment messages when it sent the message, an MQMSG_CLASS_BAD_ENCRYPTION class acknowledgment message is returned to the administration queue specified by the sending application.

When the private message arrives at the destination queue manager, its body is decrypted and the message is placed in its destination queue. The receiving application never sees the encrypted body of the message.

Message Queuing provides two ways to send private messages. You can let the source queue manager encrypt the message body for you, or your application can encrypt the message body itself.

Message Queuing can encrypt the message body for you when your application is sending messages within a Windows® 2000 or Windows Server 2003 enterprise where there is access to the directory service.

Your application must encrypt the message body when it is sending messages where there is no access to the directory service (for example, when sending messages using a direct format name or when sending messages across enterprise boundaries).


MSMQ 1.0 and 2.0 differences: MSMQ 1.0 does not provide the COM components needed to encrypt messages manually. When using the COM components provided by MSMQ 1.0, you must always allow Message Queuing to encrypt the message body for you. On the other hand, the MSMQ 2.0 COM components provide full encryption support. You can tell Message Queuing to encrypt the message body, or your application can encrypt the message body.

MSMQ 3.0 does not support sending Message Queuing-encrypted or application-encrypted messages to HTTP/HTTPS direct format names, multicast addresses, or distribution lists.

Regardless of how the message is encrypted when it is sent, the destination queue manager always decrypts the message body and then passes the message on to the queue.

More Information

For information on See
Sending Message Queuing-encrypted messages Message Queuing-Encrypted Messages
Sending manually encrypted messages when there is no access to the directory service. Application-Encrypted Messages
Reading private messages from the destination queue Reading Private Messages