CryptEncrypt

The CryptEncrypt function is used to encrypt data. The algorithm used to encrypt the data is designated by the key held by the CSP module, which is referenced by the hKey parameter.

Important changes have been made to the CryptoAPI in order to support S/MIME e-mail interoperability, which affect the handling of enveloped messages. See the Remarks for CryptMsgOpenToEncode for details.

Due to French import laws, the Microsoft CSPs do not allow encryption when the Microsoft® Windows NT® operating system is used in France. Therefore, under this condition, this function will fail with the error NTE_PERM. 

#include <wincrypt.h>
BOOL WINAPI CryptEncrypt(
  HCRYPTKEY hKey,   // in
  HCRYPTHASH hHash, // in
  BOOL Final,       // in
  DWORD dwFlags,    // in
  BYTE *pbData,     // in/out
  DWORD *pcbData,   // in/out
  DWORD cbBuffer    // in
);

Parameters

hKey
A handle to the key to use for the encryption. An application obtains this handle by using either the CryptGenKey or the CryptImportKey function.

This key specifies the encryption algorithm that is used.

hHash
A handle to a hash object. This parameter is used only if a hash of the data is to be computed at the same time the encryption is being performed. See the "Remarks" section for more information.

If no hash is to be done, this parameter must be zero.

Final
The Boolean value that specifies whether this is the last section in a series being encrypted. This should be TRUE if this is the last or only block, and FALSE if it is not. See the "Remarks" section for more information.
dwFlags
The flag values. This parameter is reserved for future use and should always be zero.
pbData
The buffer holding the data to be encrypted. After the encryption has been performed, the encrypted data is placed back in this same buffer.

The size of this buffer is specified by cbBuffer. The number of bytes of data to be encrypted is specified by pcbData.

This parameter can be NULL if all you are doing is determining the number of bytes required for the returned data.

pcbData
The address of the data length. Before calling this function, the caller should set this parameter to the number of bytes to be encrypted. Upon return, this address will contain the number of bytes of encrypted data.

If the buffer specified by pbData is not large enough to hold the data, the function returns the ERROR_MORE_DATA error code (through GetLastError) and stores the required buffer size, in bytes, into the variable pointed to by pcbData.

If pbData is NULL, then no error is returned, and the function stores the size of the data, in bytes, in the variable pointed to be pcbData. This lets an application determine the correct buffer size unambiguously.

When a block cipher is used, this data length must be a multiple of the block size, unless this is the final section of data to be encrypted and the Final flag is TRUE.

cbBuffer
The number of bytes in the pbData buffer.

Note that, depending on the algorithm used, the encrypted text can be slightly larger than the original plaintext. In this case, the pbData buffer needs to be sized accordingly.

As a rule, if a stream cipher is used the ciphertext will be the same size as the plaintext. If a block cipher is used, the ciphertext will be up to a "block length" larger than the plaintext.

Return Values

If the function succeeds, the return value is TRUE. If it fails, the return value is FALSE. To retrieve extended error information, use the GetLastError function.

The following table lists the error codes most commonly returned by the GetLastError function. The error codes prefaced by "NTE" are generated by the particular CSP you are using.

Error code Description
ERROR_INVALID_HANDLE One of the parameters specifies an invalid handle.
ERROR_INVALID_PARAMETER One of the parameters contains an invalid value. This is most often an illegal pointer.
NTE_BAD_ALGID The hKey session key specifies an algorithm that this CSP does not support.
NTE_BAD_DATA The data to be encrypted is invalid. For example, when a block cipher is used and the Final flag is FALSE, the value specified by pcbData must be a multiple of the block size.
NTE_BAD_FLAGS The dwFlags parameter is nonzero.
NTE_BAD_HASH The hHash parameter contains an invalid handle.
NTE_BAD_HASH_STATE An attempt was made to add data to a hash object that is already marked "finished."
NTE_BAD_KEY The hKey parameter does not contain a valid handle to a key.
NTE_BAD_LEN The size of the output buffer is too small to hold the generated ciphertext.
NTE_BAD_UID The CSP context that was specified when the key was created cannot be found.
NTE_DOUBLE_ENCRYPT The application attempted to encrypt the same data twice.
NTE_FAIL The function failed in some unexpected way.
NTE_NO_MEMORY The CSP ran out of memory during the operation.

Remarks

If data is to be hashed and encrypted simultaneously, a handle to a hash object can be passed in the hHash parameter. The hash value will be updated with the plaintext passed in. This option is useful when generating signed and encrypted text.

Before calling CryptEncrypt, the application should obtain a handle to the hash object by calling the CryptCreateHash function. After the encryption is complete, the hash value can be obtained through the CryptGetHashParam function or the hash can be signed using the CryptSignHash function.

When a large amount of data needs to be encrypted, it can be done in sections. This is done by calling CryptEncrypt repeatedly. The Final parameter should be set to TRUE only on the last invocation of CryptEncrypt, so the encryption engine can properly finish the encryption process. The following extra actions are performed when Final is TRUE:

Example

See Encrypting and Decrypting Data.

QuickInfo

  Windows NT: Requires version 4.0 or later.
  Windows: Requires Windows 95 OSR2 or later (or Windows 95 with IE 3.02 or later).
  Windows CE: Unsupported.
  Header: Declared in wincrypt.h.
  Import Library: Use advapi32.lib.

See Also

CryptCreateHash, CryptDecrypt, CryptGenKey, CryptGetHashParam, CryptImportKey, CryptSignHash