Wahmans Powershell Blog

Unprotect-CmsMessage

PowerShell Cmdlet Spotlight: Unprotect-CmsMessage

Welcome back to Wahmans PowerShell blog! Today, we’re diving into a cmdlet that often flies under the radar but can be extremely useful when dealing with encrypted content — Unprotect-CmsMessage.

What does it do?

The Unprotect-CmsMessage cmdlet decrypts content that has been encrypted using the Cryptographic Message Syntax (CMS) format. In a world where data security is vital, this cmdlet enables users to securely retrieve sensitive data encrypted with Protect-CmsMessage.

Let’s walk through four practical examples, ranging from basic decryption to more advanced use cases involving file contents and automation.

Example 1: Decrypt a Simple Encrypted Message

This is the most basic use of Unprotect-CmsMessage. Assume you or someone else has previously run Protect-CmsMessage to encrypt sensitive text.

$encryptedText = "-----BEGIN CMS-----
MIIB...YourEncryptedContent...IDAQAB
-----END CMS-----"

$decryptedText = Unprotect-CmsMessage -Content $encryptedText

Write-Output $decryptedText

This will decode the original message on a system where the recipient’s certificate is available in the certificate store.

Example 2: Decrypt Content from a File

This example assumes you’ve stored the encrypted CMS-format text in a file.

$cmsFile = Get-Content -Path "C:\Secure\encrypted.txt" -Raw

$decryptedMessage = Unprotect-CmsMessage -Content $cmsFile

Write-Host "Decrypted Message: $decryptedMessage"

This is useful when moving encrypted files between systems or users.

Example 3: Decrypt Encrypted Log Files

If you’re managing sensitive logs that are encrypted for security, you can decrypt them in bulk using a script like this:

$logFiles = Get-ChildItem -Path "C:\Logs\Encrypted" -Filter *.log

foreach ($file in $logFiles) {
    Write-Host "Decrypting: $($file.Name)"
    $encryptedContent = Get-Content -Path $file.FullName -Raw
    $decryptedContent = Unprotect-CmsMessage -Content $encryptedContent
    $outputPath = "C:\Logs\Decrypted\$($file.BaseName)_decrypted.txt"
    Set-Content -Path $outputPath -Value $decryptedContent
}

This process helps automate secure log file handling without compromising sensitive content.

Example 4: Automated Decryption Using Scheduled Tasks

Want to decrypt a message or file automatically on a schedule? PowerShell and Task Scheduler make it easy. Below is an example of decryption inside a script that could be run nightly:

$cmsFilePath = "C:\DailyReports\encrypted_report.cms"

if (Test-Path $cmsFilePath) {
    $cmsContent = Get-Content -Path $cmsFilePath -Raw
    $decryptedReport = Unprotect-CmsMessage -Content $cmsContent
    $outputPath = "C:\DailyReports\decrypted_report.txt"
    Set-Content -Path $outputPath -Value $decryptedReport
    Write-Host "Decryption completed successfully."
} else {
    Write-Warning "Encrypted report not found."
}

This example can be expanded into a full solution integrated with Windows Task Scheduler — perfect for secure reporting workflows.

Conclusion

Whether you’re exchanging sensitive information between systems or managing encrypted logs, Unprotect-CmsMessage gives you a secure and reliable way to decrypt CMS-encrypted content in PowerShell.

Happy scripting, and I will see you in the next post!

Leave a Reply

Your email address will not be published. Required fields are marked *