I just finished with an initial implementation of a custom encryption/decryption pipeline
component for BizTalk Server 2006, which supports all the symmetric cryptography algorithms
included with the .NET Framework’s System.Security.Cryptography package: RC2, Rijndael,
DES and 3DES.

Included in the component are both an encoder and decoder pipeline components so that
you can both encrypt and decrypt messages from your custom pipelines. The encoder
component does its work in a fully streaming fashion, while the decoder component
decrypts into an intermediate in-memory buffer for now (see this for
the reason).

For both encoder/decoder components, you just have to configure two different properties:


  • Algorithm: Specifies the symmetric crypto algorithm to encrypt/decrypt messages.

  • SsoConfigApp: Specifies the name of a Configuration Application in the Enterprise
    Single Sign-On ConfigStore that contains the Key and Initialization Vector to use
    for encryption/decryption. This way keys are stored securely inside the SSODB database.

Initially, I thought about using Jon Flander’s excellent
for storing configuration data in the SSO, but finally decided to code
my own to avoid external dependencies (something I usually try to do for pipeline
components as it makes deployment easier). Coding my own allowed me to also add a
few things that should simplify deployment somewhat.

I provide a sample WinForms application that you can use to create/open/update/delete
ConfigApps in the SSO to store keys and IVs securely. The application has the following


  1. The ConfigApp in SSO is created as a Config Store application, with two custom fields:
    CryptoKey and CryptoIV. Both are stored as Base64-encoded strings.

  2. The utility uses WMI to query the names of the BizTalk Administrators Group and the
    names of the user groups associated to each BizTalk Host. The admin and users groups
    in the SSO application are set to these values. I take advantage to a feature
    in SSO 3.0 which allows you to associate multiple groups as users of the SSO Application,
    so this way you don’t need to create a new group just to have all application and
    isolated hosts access to the configuration data.

  3. Both the Key and IV as entered as a long string of hexadecimal digits. If you don’t
    want to write your own, you can use the Generate buttons to automatically generate
    a Key/IV pair appropriate for the selected symmetric algorithm, which is done via
    the GenerateKey() and GenerateIV() methods of the specified SymmetricAlgorithm-derived

  4. Some basic validations are done on the key and IV you enter, such as ensuring it has
    a valid length according to the selected algorithm.

You can download the code for this component here.
Included in the solution are both the pipeline component and the Winforms configuration
application, as well as a messaging-only sample use of both encoder and decoder components.