v4.1.3

Code has been updated to be compatible with the latest versions of the PSv5 preview. Previous code had several functions with parameters named $IV, which conflicts with the new -InformationVariable common parameter.

4.1.2

Default password iteration count increased from 1000 to 50000.
Fixed bug in Add-ProtectedDataCredential where user-specified PasswordIterationCount was being ignored, and the default used instead.

4.1.1

The -Certificate parameter of Unprotect-Data is now optional. If no Certificate or Password is specified, then the module will search the Personal stores of the current user and local computer to try to find an installed certificate which matches one of the certs used to encrypt the -InputObject. If a matching certificate is found, it will be used.

Also, fixed a bug that was causing KeyData objects for ECDH certificates to be output as hashtables instead of psobjects. This didn't break anything, but was inconsistent with the rest of the module's behavior.

4.1.0

Positional binding now works for the -InputObject parameter on all commands.
The -SkipCertificateVerification switch has been deprecated on all commands, and will produce a warning if used. (The code now behaves as though this switch was used in all cases.)

v4.0.0

Added HMAC (authentication code) of AES cipher text, to prevent tampering.

Note: This is a major release because the Unprotect-Data command will not decrypt ProtectedData objects which were produced by earlier versions of the module and are missing the HMAC code, by default. However, you can add the HMAC to existing objects by using the new Add-ProtectedDataHmac command, at which point Unprotect-Data will work with that object again.

Add-ProtectedDataHmac is not required for any new calls to Protect-Data; the HMAC information will be produced automatically in that case.

v3.0.1

Forgot to sign the files when releasing v3.0, and had to bump the version number in order to fix this on PowerShellGet. No functional changes.

Version 3.0

Functionally, this version has all the same of features as v2.1, but has removed the deprecated -CertificateThumbprint parameters. Upgrade to v3.0 once you have converted any existing scripts to just use -Certificate instead.

v2.1

The functionality of the old -CertificateThumbprint parameters has been rolled into the newer -Certificate parameters; you can either pass in X509Certificate2 objects or thumbprints to -Certificate and it will just work. In addition, you can also pass in paths to certificates in the PowerShell Cert:\ drive, or paths to certificate files on disk.

The old Thumbprint parameters still exist for now, but they are deprecated and will produce warnings if used. They will be removed in a future release.

v2.0

The module no longer treats certificates with no Key Extension as suitable for encryption / decryption. This is because of two things: 1, some signing-only certificates have been found during demonstrations and tests which do not reflect this in the form of a Key Usage extension, and 2, when you look at the Public Key object on an RSA certificate that's only meant for signing, even the Public Key doesn't reflect this. Based on my tests so far, it's only when you look at the Private Key object that you get the authoritative data on whether a particular certificate is suitable for decrypting data.

Since we can't count on having this data directly from the private key, the only source I can trust to figure this out from the "public-only" view of a cert is the Key Usage extension.

Since this is a breaking change, the version number of the module is now 2.0 (according to semantic versioning.)

v1.2

Added support for ECDH (Elliptic Curve Diffie-Hellman) certificates, in addition to the RSA certificates that the module already supported.

Fixed a bug that was causing failures in PowerShell v3.