How To: Guidelines for Encryption/Decryption with the Convert Value Task

The following are guidelines to use when writing code for asymmetric encryption and decryption to be used with the Encrypt and Decrypt options of the Forum Sentry Convert Value task.

To Encrypt (Sentry will decrypt):

1. Create a random 256 bit ephemeral symmetric key for AES256.
2. Generate a random 128 bit IV for AES256.
3. Encrypt the data using the ephemeral key and IV.
4. Encrypt the ephemeral key using the RSA 1024 bit public key.
5. Base64 (encrypted key + IV + encrypted data)

To Decrypt (Sentry will encrypt):

1. Base64 decode into bytes.
    - the first 128 bytes is the RSA encrypted ephemeral symmetric key (randomly generated symmetric key)
    - the next 16 bytes is the IV (also random)
    - the rest is the data
2. Decrypt the ephemeral symmetric key using the RSA private key (from the p12 file).
3. Decrypt the data using the ephemeral symmetric key and IV.


1. The encrypted AES256 key is 128 bytes when using an RSA 1024 bit key.
2. The encrypted AES256 key is 256 bytes when using an RSA 2048 bit key.
3. The IV is 16 bytes for AES.
4. For sample client code for using symmetric encryption/decryption with the Sentry Convert Value task see this article.



Article is closed for comments.