(SQL Server) AES 256-bit CBC using PBKDF2 Generated Secret Key

See more Encryption Examples

First generates a 32-byte secret key using PBKDF2 (with HMAC-SHA256), and then uses the secret key to do 256-bit AES CBC mode decryption.

(Duplicates the following Java code)

public String decrypt(String strToDecrypt) {
        try  {
            // Read the initialization vector from the first bytes for the data
            byte [] rawData = Base64.getDecoder().decode(strToDecrypt);
            byte [] iv = new byte[Config.get().encryptionIVLength()];
            byte [] encryptedData = new byte[rawData.length - iv.length];
            System.arraycopy(rawData, 0, iv, 0, iv.length);
            System.arraycopy(rawData, iv.length, encryptedData, 0, encryptedData.length);
 
            IvParameterSpec ivspec = new IvParameterSpec(iv);
 
            SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
            KeySpec spec = new PBEKeySpec(secretKey.toCharArray(), salt.getBytes(), 65536, 256);
            SecretKey tmp = factory.generateSecret(spec);
            SecretKeySpec secretKey = new SecretKeySpec(tmp.getEncoded(), "AES");
 
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
            cipher.init(Cipher.DECRYPT_MODE, secretKey, ivspec);
            return new String(cipher.doFinal(encryptedData));
        }
        catch (Exception e) {
            log.error("Could not decrypt the string.", e);
        }
        return null;
    }

Chilkat ActiveX Downloads ActiveX for 32-bit and 64-bit Windows

-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
    DECLARE @hr int
    -- This example requires the Chilkat API to have been previously unlocked.
    -- See Global Unlock Sample for sample code.

    DECLARE @crypt int
    -- Use "Chilkat_9_5_0.Crypt2" for versions of Chilkat < 10.0.0
    EXEC @hr = sp_OACreate 'Chilkat.Crypt2', @crypt OUT
    IF @hr <> 0
    BEGIN
        PRINT 'Failed to create ActiveX component'
        RETURN
    END

    DECLARE @password nvarchar(4000)
    SELECT @password = 'some arbitrary length password'
    -- We have 8 bytes of salt encoded using hex.
    -- (The salt can be any number of bytes, in any desired encoding such as base64, hex, etc.)
    DECLARE @saltHex nvarchar(4000)
    SELECT @saltHex = '0102030405060708'

    -- Generate the 256-bit (32-byte) AES secret key we'll use to decrypt.
    DECLARE @iterationCount int
    SELECT @iterationCount = 65536
    DECLARE @outputKeyBitLen int
    SELECT @outputKeyBitLen = 256
    DECLARE @secretKeyHex nvarchar(4000)
    EXEC sp_OAMethod @crypt, 'Pbkdf2', @secretKeyHex OUT, @password, 'utf-8', 'sha256', @saltHex, @iterationCount, @outputKeyBitLen, 'hex'

    -- Setup for 256-bit AES CBC decryption.
    EXEC sp_OASetProperty @crypt, 'CryptAlgorithm', 'aes'
    EXEC sp_OASetProperty @crypt, 'KeyLength', 256
    EXEC sp_OASetProperty @crypt, 'CipherMode', 'cbc'
    EXEC sp_OASetProperty @crypt, 'PaddingScheme', 0

    -- The IV for AES is 16 bytes.
    DECLARE @iv nvarchar(4000)
    SELECT @iv = '000102030405060708090A0B0C0D0E0F'
    EXEC sp_OAMethod @crypt, 'SetEncodedIV', NULL, @iv, 'hex'

    -- Set the secret key for 256-bit AES.
    EXEC sp_OAMethod @crypt, 'SetEncodedKey', NULL, @secretKeyHex, 'hex'

    -- AES decrypt
    -- assume our string to decrypt is base64
    DECLARE @strToDecrypt nvarchar(4000)
    SELECT @strToDecrypt = '....'
    EXEC sp_OASetProperty @crypt, 'EncodingMode', 'base64'
    DECLARE @decryptedStr nvarchar(4000)
    EXEC sp_OAMethod @crypt, 'DecryptStringENC', @decryptedStr OUT, @strToDecrypt


    PRINT @decryptedStr

    EXEC @hr = sp_OADestroy @crypt


END
GO