Encryption and Decryption with AMPScript

Devs United > SFMC Pros  > Encryption and Decryption with AMPScript

Encryption and Decryption with AMPScript

A colleague asked me yesterday if I had worked with encrypting values using AMPScript and performing decryption later in a third party application.

I replied to her that I was in fact able to perform such thing, and that I will provide her with some code examples.

However, as I was putting together a little code snippet, I decided to write this post to give an overview and different alternatives around this topic.

Note: If you are in a hurry to get this code or are too lazy to read this post (shame on you!) go straight to the github repository.

The Scenario


Imagine that you have an email configured in ExactTarget that have links to an external website. You want to be able to pass the Subscriber’s email address in the URL without it being noticed, so you decide that you want to encrypt such value to resolve it later in your website.


AMPScript Encryption functions


AMPScript provides you with two functions to resolve encryption: EncryptSymmetric and DecryptSymmetric that you can find in the official documentation.

With these functions, you can encrypt and decrypt your values using 3 different algorithms: AES, 3DES and DES. Here’s a quick short answer on the differences between these.


Symmetric versus Asymmetric encryption


Note that the AMPScript functions mentioned above use the term Symmetric. So, what does that mean?

In symmetric encryption you share a secret key, which can be a string of random letters, a word, etc. This key is applied to the text of a message to change the content in a particular way. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.

The problem with this method is that by sharing the key among multiple environments, you run the risk of that key falling in the wrong hands. So, symmetric encryption is meant to be focus on a single environment (such as ExactTarget emails and ExactTarget landing pages).

With Asymmetric encryption (for example, pgp) you have 2 sets of keys, one public and one private that only you know.

Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.

ExactTarget provides a way to use Asymmetric encryption, but it is only meant to be use for transferring files from and to ExactTarget. 


Encrypting and Decrypting values using DES


After playing for a bit with AMPScript and C#, I was able to encrypt values in AMPScript and decrypting in C# and viceversa using the DES algorithm. I was not able to accomplish the same task using AES or 3DES and I suspect the reason behind this, is in the way the AMPScript functions are resolving these methods internally. Remember, Symmetric encryption is meant to have a more limited scope so use this method at your own risk!

I created a little landing page that you can check here, that will allow you to encrypt and decrypt values using DES for your testing purposes.

Then I created a small solution in .NET that uses DES to perform the same operation. You can use the test project to play with your values and once you are ready to implement the code, feel free to change the key value to be used in the algorithm.

You can find the full source code for this solution including the landing page code in my github repo.


Alternative solutions


I like to think that there’s always at least 2 (or more) solutions to a problem.

Let’s think a little bit about our scenario. We need to be able to pass a value securely to a third party system, right? so here are other ideas on how to solve that problem without using the encryption AMPScript functions:


Use one way encryption


AMPScript has a function called MD5 that will create a one way encryption hash for you. You can combine this function with information that only you know about the user in your backend. For example, you could concatenate the EmailAddress, with the subscriber’s birthDate, convert those to a HEX String and then apply the MD5 function. In your backend, you can have a table with that encrypted value for each record and you’ll simply do a lookup for that encrypted value.


Use a shared GUID


A GUID is another safe way to pass data between systems. If you had a GUID for each subscriber that both system know, you can simply pass that value in the URL and do a lookup on the other end.


Use the new and great MicrositeURL function


Say the scenario changes a little, and you need to pass data between an email and a landing page. But you still need it to be secure.

In their latest  platform release, ExactTarget introduced a new function called MicrositeURL. This function allows you to provide a page ID and a list of parameters that will be encrypted at send time and you can request later in your landing page by using the RequestParameter function.




Encryption and Decryption between ExactTarget and third party systems is possible in many ways. Use your best judgement and creative thinking to come up with the best way to resolve this situation, to ensure your data is transmitted securely and without falling into the sea of over-complicating things.

Feel free to fork my github repo and add more examples of encryption and decryption between AMPScript and third party systems!