Decrypts encrypted data using the supplied algorithm and encryption values. Supply either a value or a valid external key for the password, initialization vector (IV), and a salt.

You can also use the external keys if you previously created keys in the Key Management section of the Marketing Cloud Engagement web interface. If you haven't created any keys, the function generates a password using the password parameter or stored value, the salt parameter or stored value, and the IV parameter or stored value. If you don't pass or reference an initialization vector, the function uses the password parameter or stored value as the initialization vector. This function treats Salt and IV values either directly provided or looked up by key as hex strings, with each pair of characters representing a single byte in the larger strings. Don't attempt to use these values as a cipher string, because you can’t successfully decrypt those strings using this function. You can wrap the EncryptSymmetric() and DecryptSymmetric() functions in Base64Encode() and Base64Decode() functions to view the final string in plain text.

You can only use the EncryptSymmetric() and DecryptSymmetric() AMPscript functions on data contained in Marketing Cloud Engagement. You can't use these functions with third-party encryption and decryption functionality.

The DecryptSymmetric() function has eight parameters:

  • encryptedData (string): Required. The encrypted data that you want to decrypt.
  • encryptionAlgoritm (string): Required. The algorithm used to encrypt the data. Accepted values: aes (AES or Rijndael encryption), des (DES), and tripledes (Triple DES or Triple DEA). You can specify cipher modes and padding methods for DES and Triple DES algorithms. See Encryption Algorithm Options for more information.
  • passwordExternalKey (string): Required. The external key of a password that was created in Key Management.
  • passwordValue (string): Required. The password value.
  • saltExternalKey (string): Required. The external key of a salt in Key Management.
  • saltValue (string): Required. The salt value, represented as an 8-byte hexadecimal string.
  • ivExternalKey (string): Required. The external key of an initialization vector in Key Management.
  • ivValue (string): Required. The initialization vector, represented as a 16-byte hexadecimal string.

You can specify cipher modes for DES and Triple DES algorithms. To specify these options, add a semicolon after the algorithm, followed by mode= and the name of the cipher mode. Accepted values for cipher modes are:

  • cbc - Cipher Block Chaining (this cipher is the default)
  • cfb - Cipher Feedback
  • ecb - Electronic Codebook
  • ofb - Output Feedback
  • cts - Ciphertext Stealing

You can also include a padding method by adding padding= and the name of the padding mode. Accepted values are:

  • pkcs7 - PKCS#7/RFC 5652 (this method is the default)
  • ansix923 - ANSI X9.23
  • iso10126 - ISO 10126
  • zeros - Zero padding (all bytes padded with zeroes)
  • none - No padding

This example sets the @clearData variable to the value of the @endData after the function decrypts that data. This example uses provided values for the password, salt, and IV, and it sets any external key values to the undeclared variable @null. The Salt and IV values provided in this example are hexadecimal string values. The Salt value includes 8 bytes of hex information, and the IV value provides 16 bytes.

This example uses external keys instead of provided values: