After explaining the concept and purpose of AES encryption in the previous article, this guide has for goal to give practical steps about how to create and use an AES 256-bit key.
AES encryption key size
When performing AES encryption, it’s important to pay attention to the key size that you are using. As a matter of fact, the key size has an impact on the strength of the algorithm.
In fact, the AES algorithm supports 3 different key sizes: 128-bit key, 192-bit key, and 256-bit key. Nowadays, it is recommended to always use a 256-bit key to make sure that your data is fully protected.
In most documentation, the term AES-256 is used to refer to an AES encryption using a 256-bit key. So, wherever you see that term, it simply means an AES encryption with a key size of 256 bits.
Create an AES 256-bit key in C#
The easiest way to create an AES 256-bit key is to use the Aes.Create method. That method initializes a cryptographic object implementing the AES algorithm. With that instance, you will be able to call the GenerateKey method to create a new AES key.
Here is an example of the output on the console:
Creating Aes Encryption 256 bit key Aes Key Size : 256 Here is the Aes key in Base64: PJC7HnliwcxXw4FM8Ep3sX9NIL3R5CZnDvp8IyyCSlg=
As you can see in this sample code, we are setting the key size to 256 bits before calling the GenerateKey method. And then, we convert the key to a readable Base64 text format.
Once the key is created, you need to save it in a safe place in order to be able to retrieve it for encryption and decryption purposes. You need to remember that the AES key is a secret, so it should NEVER be stored in a text file or database in clear text. Here are the best places to store the key:
- Store the key as a secret in a key management system: you can store the AES key as a secret in a cloud KMS, like Azure key vault, AWS KMS, or Google Cloud Key Management.
- Encrypt the key with an asymmetric key and save it in a datastore: You can store the AES key in a database only if the key itself is encrypted. In this case, the best way to protect the AES key is to encrypt it with an asymmetric key (i.e an RSA key for example). Furthermore, the asymmetric key used for that purpose should be stored in a KMS.
Using an AES 256-bit key to encrypt data
In the following example, we are using the AES encryption key to encrypt data:
The following text is an example output of that code:
Welcome to the Aes Encryption Test tool Provide the Aes Key in base64 format : PJC7HnliwcxXw4FM8Ep3sX9NIL3R5CZnDvp8IyyCSlg= -------------------------------------------------------------- Please enter the text that you want to encrypt: this is an example plain text that we want to encrypt. -------------------------------------------------------------- Aes Cipher Mode : CBC Aes Padding Mode: PKCS7 Aes Key Size : 256 -------------------------------------------------------------- Here is the cipher text: TWgNFEi/9kZjDiQTPjCx91H0c/CXtjiVAVV/Kkg9VqcZqmt9K9+/gT/eg9qWCyaqNxpSrKtT+Rbd03NrqEJyzw== -------------------------------------------------------------- Here is the Aes IV in Base64: h9GeWnVeV2no4pkircgXAg==
As you noticed, we provided the key in Base64 format and then we loaded the key after the Aes.Create method.
An important factor to consider is the initialization vector. Since it is not recommended to always use the same initialization vector, we are calling the GenerateIV method to create a new initialization vector for every plain text data that we want to encrypt.
Using an AES 256-bit key to decrypt data
Following the same principle, here is the code sample that we are using to decrypt the cipher text.
Here is the console output when we decrypt the previous cipher text with the same AES key:
Welcome to the Aes Encryption Test tool Please enter the text that you want to decrypt: TWgNFEi/9kZjDiQTPjCx91H0c/CXtjiVAVV/Kkg9VqcZqmt9K9+/gT/eg9qWCyaqNxpSrKtT+Rbd03NrqEJyzw== -------------------------------------------------------------- Provide the Aes Key: PJC7HnliwcxXw4FM8Ep3sX9NIL3R5CZnDvp8IyyCSlg= -------------------------------------------------------------- Provide the initialization vector: h9GeWnVeV2no4pkircgXAg== -------------------------------------------------------------- Aes Cipher Mode : CBC Aes Padding Mode: PKCS7 Aes Key Size : 256 Aes Block Size : 128 -------------------------------------------------------------- Here is the decrypted data: this is an example plain text that we want to encrypt.
For decryption, we need the following information:
- The encryption key.
- The initialization vector.
- The configuration used to encrypt the data, such as the cipher mode and padding mode.
If you need more information on these concepts, you can look at our previous article about AES encryption.
To sum it up, by following these steps, you will be able to create an AES 256-bit key and use that key to encrypt and decrypt data.
Leave a Reply