BOOL CryptExportKey(
[in] HCRYPTKEY hKey,
[in] HCRYPTKEY hExpKey,
[in] DWORD dwBlobType,
[in] DWORD dwFlags,
[out] BYTE *pbData,
[in, out] DWORD *pdwDataLen
Parameters
[in] hKey
A handle to the key to be exported.
[in] hExpKey
A handle to a cryptographic key of the destination user. The key data within the exported key BLOB is encrypted using this key. This ensures that only the destination user is able to make use of the key BLOB. Both hExpKey and hKey must come from the same CSP.
Most often, this is the key exchange public key of the destination user. However, certain protocols in some CSPs require that a session key belonging to the destination user be used for this purpose.
If the key BLOB type specified by dwBlobType is PUBLICKEYBLOB, this parameter is unused and must be set to zero.
If the key BLOB type specified by dwBlobType is PRIVATEKEYBLOB, this is typically a handle to a session key that is to be used to encrypt the key BLOB. Some CSPs allow this parameter to be zero, in which case the application must encrypt the private key BLOB manually so as to protect it.
To determine how Microsoft cryptographic service providers respond to this parameter, see the private key BLOB sections of
Microsoft Cryptographic Service Providers.
Note Some CSPs may modify this parameter as a result of the operation. Applications that subsequently use this key for other purposes should call the
CryptDuplicateKey function to create a duplicate key handle. When the application has finished using the handle, release it by calling the
CryptDestroyKey function.
[in] dwBlobType
Specifies the type of key BLOB to be exported in pbData. This must be one of the following constants as discussed in
Cryptographic Key Storage and Exchange.
Value
Meaning
OPAQUEKEYBLOB
Used to store session keys in an Schannel CSP or any other vendor-specific format. OPAQUEKEYBLOBs are nontransferable and must be used within the CSP that generated the BLOB.
[in] dwFlags
Specifies additional options for the function. This parameter can be zero or a combination of one or more of the following values.
Value
Meaning
CRYPT_BLOB_VER3
0x00000080
This flag causes this function to export version 3 of a BLOB type.
[out] pbData
A pointer to a buffer that receives the key BLOB data. The format of this BLOB varies depending on the BLOB type requested in the dwBlobType parameter. For the format for PRIVATEKEYBLOBs, PUBLICKEYBLOBs, and SIMPLEBLOBs, see
Base Provider Key BLOBs.
If this parameter is NULL, the required buffer size is placed in the value pointed to by the pdwDataLen parameter. For more information, see
Retrieving Data of Unknown Length.
[in, out] pdwDataLen
A pointer to a DWORD value that, on entry, contains the size, in bytes, of the buffer pointed to by the pbData parameter. When the function returns, this value contains the number of bytes stored in the buffer.
Note When processing the data returned in the buffer, applications must use the actual size of the data returned. The actual size can be slightly smaller than the size of the buffer specified on input. On input, buffer sizes are usually specified large enough to ensure that the largest possible output data fits in the buffer. On output, the variable pointed to by this parameter is updated to reflect the actual size of the data copied to the buffer.
To retrieve the required size of the pbData buffer, pass NULL for pbData. The required buffer size will be placed in the value pointed to by this parameter.
Return value
If the function succeeds, the function returns nonzero (TRUE).
If the function fails, it returns zero (FALSE). For extended error information, call
GetLastError.
The error codes prefaced by "NTE" are generated by the particular CSP being used. The following table shows some of the possible error codes.
Return code
Description
For any of the DES key permutations that use a PLAINTEXTKEYBLOB, only the full key size, including parity bit, may be exported. The following key sizes are supported.
Algorithm
Supported key size
CALG_DES
64 bits
CALG_3DES_112
128 bits
CALG_3DES
192 bits
Examples
The following example shows how to export a cryptographic key or a key pair in a more secure manner. This example assumes that a cryptographic context has been acquired and that a public key is available for export. For an example that includes the complete context for using this function, see
Example C Program: Signing a Hash and Verifying the Hash Signature. For another example that uses this function, see Example C Program: Exporting a Session Key.
#include <windows.h>
#include <stdio.h>
#include <Wincrypt.h>
BOOL GetExportedKey(
HCRYPTKEY hKey,
DWORD dwBlobType,
LPBYTE *ppbKeyBlob,
LPDWORD pdwBlobLen)
DWORD dwBlobLength;
*ppbKeyBlob = NULL;
*pdwBlobLen = 0;
// Export the public key. Here the public key is exported to a
// PUBLICKEYBLOB. This BLOB can be written to a file and
// sent to another user.
if(CryptExportKey(
hKey,
NULL,
dwBlobType,
NULL,
&dwBlobLength))
printf("Size of the BLOB for the public key determined. \n");
printf("Error computing BLOB length.\n");
return FALSE;
// Allocate memory for the pbKeyBlob.
if(*ppbKeyBlob = (LPBYTE)malloc(dwBlobLength))
printf("Memory has been allocated for the BLOB. \n");
printf("Out of memory. \n");
return FALSE;
// Do the actual exporting into the key BLOB.
if(CryptExportKey(
hKey,
NULL,
dwBlobType,
*ppbKeyBlob,
&dwBlobLength))
printf("Contents have been written to the BLOB. \n");
*pdwBlobLen = dwBlobLength;
printf("Error exporting key.\n");
free(*ppbKeyBlob);
*ppbKeyBlob = NULL;
return FALSE;
return TRUE;
Requirements