Particular
diff --git a/‎src/NServiceBus.AcceptanceTests/Encryption/When_using_encryption_with_custom_service.cs
+75 b/‎src/NServiceBus.AcceptanceTests/Encryption/When_using_encryption_with_custom_service.cs
+75
diff --git a/‎src/NServiceBus.AcceptanceTests/Encryption/When_using_encryption_with_multikey.cs
+110 b/‎src/NServiceBus.AcceptanceTests/Encryption/When_using_encryption_with_multikey.cs
+110
diff --git a/‎src/NServiceBus.AcceptanceTests/NServiceBus.AcceptanceTests.csproj
+2 b/‎src/NServiceBus.AcceptanceTests/NServiceBus.AcceptanceTests.csproj
+2
diff --git a/‎src/NServiceBus.Core.Tests/Encryption/ConfigureRijndaelEncryptionServiceTests.cs
+140 b/‎src/NServiceBus.Core.Tests/Encryption/ConfigureRijndaelEncryptionServiceTests.cs
+140
@@ -0,0 +1,75 @@
+namespace NServiceBus.AcceptanceTests.Encryption
+{
+    using System.Linq;
+    using NServiceBus.Encryption;
+    using System;
+    using EndpointTemplates;
+    using AcceptanceTesting;
+    using NUnit.Framework;
+    using ScenarioDescriptors;
+
+    public class When_using_encryption_with_custom_service : NServiceBusAcceptanceTest
+    {
+        [Test]
+        public void Should_receive_decrypted_message()
+        {
+            Scenario.Define<Context>()
+                    .WithEndpoint<Endpoint>(b => b.Given((bus, context) => bus.SendLocal(new MessageWithSecretData
+                        {
+                            Secret = "betcha can't guess my secret"
+                        })))
+                    .Done(c => c.Done)
+                    .Repeat(r => r.For<AllSerializers>())
+                    .Should(c => Assert.AreEqual("betcha can't guess my secret", c.Secret))
+                    .Run();
+        }
+
+        public class Context : ScenarioContext
+        {
+            public bool Done { get; set; }
+            public string Secret { get; set; }
+        }
+        
+        public class Endpoint : EndpointConfigurationBuilder
+        {
+            public Endpoint()
+            {
+                EndpointSetup<DefaultServer>(c => c.Configurer.RegisterSingleton<IEncryptionService>(new MyEncryptionService()));
+            }
+
+            public class Handler : IHandleMessages<MessageWithSecretData>
+            {
+                public Context Context { get; set; }
+
+                public void Handle(MessageWithSecretData message)
+                {
+                    Context.Secret = message.Secret.Value;
+                    Context.Done = true;
+                }
+            }
+        }
+
+        [Serializable]
+        public class MessageWithSecretData : IMessage
+        {
+            public WireEncryptedString Secret { get; set; }
+        }
+
+
+        public class MyEncryptionService : IEncryptionService
+        {
+            public EncryptedValue Encrypt(string value)
+            {
+                return new EncryptedValue
+                {
+                    EncryptedBase64Value = new string(value.Reverse().ToArray())
+                };
+            }
+
+            public string Decrypt(EncryptedValue encryptedValue)
+            {
+                return new string(encryptedValue.EncryptedBase64Value.Reverse().ToArray());
+            }
+        }
+    }
+}
@@ -0,0 +1,110 @@
+namespace NServiceBus.AcceptanceTests.Encryption
+{
+    using System;
+    using Config;
+    using Config.ConfigurationSource;
+    using EndpointTemplates;
+    using AcceptanceTesting;
+    using NUnit.Framework;
+    using ScenarioDescriptors;
+
+    public class When_using_encryption_with_multikey : NServiceBusAcceptanceTest
+    {
+        [Test]
+        public void Should_receive_decrypted_message()
+        {
+            Scenario.Define<Context>()
+                    .WithEndpoint<Sender>(b => b.Given((bus, context) => bus.Send(new MessageWithSecretData
+                        {
+                            Secret = "betcha can't guess my secret",
+                        })))
+                    .WithEndpoint<Receiver>()
+                    .Done(c => c.Done)
+                    .Repeat(r => r.For<AllSerializers>())
+                    .Should(c => Assert.AreEqual("betcha can't guess my secret", c.Secret))
+                    .Run();
+        }
+
+        public class Context : ScenarioContext
+        {
+            public bool Done { get; set; }
+
+            public string Secret { get; set; }
+        }
+
+        public class Sender : EndpointConfigurationBuilder
+        {
+            public Sender()
+            {
+                EndpointSetup<DefaultServer>(c => c.RijndaelEncryptionService())
+                    .AddMapping<MessageWithSecretData>(typeof(Receiver));
+            }
+
+            public class Handler : IHandleMessages<MessageWithSecretData>
+            {
+                public Context Context { get; set; }
+
+                public void Handle(MessageWithSecretData message)
+                {
+                    Context.Secret = message.Secret.Value;
+                    Context.Done = true;
+                }
+            }
+
+            public class ConfigureEncryption : IProvideConfiguration<RijndaelEncryptionServiceConfig>
+            {
+                public RijndaelEncryptionServiceConfig GetConfiguration()
+                {
+                    return new RijndaelEncryptionServiceConfig
+                    {
+                        Key = "gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6"
+                    };
+                }
+            }
+        }
+
+        public class Receiver : EndpointConfigurationBuilder
+        {
+            public Receiver()
+            {
+                EndpointSetup<DefaultServer>(c => c.RijndaelEncryptionService());
+            }
+
+            public class Handler : IHandleMessages<MessageWithSecretData>
+            {
+                public Context Context { get; set; }
+
+                public void Handle(MessageWithSecretData message)
+                {
+                    Context.Secret = message.Secret.Value;
+                    Context.Done = true;
+                }
+            }
+
+            public class ConfigureEncryption : IProvideConfiguration<RijndaelEncryptionServiceConfig>
+            {
+                public RijndaelEncryptionServiceConfig GetConfiguration()
+                {
+                    return new RijndaelEncryptionServiceConfig
+                    {
+                        Key = "adDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6",
+                        ExpiredKeys = new RijndaelExpiredKeyCollection
+                        {
+                            new RijndaelExpiredKey
+                            {
+                                Key = "gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6"
+                            }
+                        }
+                    };
+                }
+            }
+        }
+
+        [Serializable]
+        public class MessageWithSecretData : IMessage
+        {
+            public WireEncryptedString Secret { get; set; }
+        }
+
+    }
+}
@@ -117,6 +117,8 @@
     <Compile Include="BusStartStop\When_bus_start_and_stops_with_a_pending_message.cs" />
     <Compile Include="Configuration\When_a_config_override_is_found.cs" />
     <Compile Include="Encryption\When_using_encryption.cs" />
+    <Compile Include="Encryption\When_using_encryption_with_custom_service.cs" />
+    <Compile Include="Encryption\When_using_encryption_with_multikey.cs" />
     <Compile Include="EndpointTemplates\BusExtensions.cs" />
     <Compile Include="Gateway\When_sending_a_message_via_the_gateway.cs" />
     <Compile Include="Gateway\When_doing_request_response_between_sites.cs" />
 
@@ -0,0 +1,140 @@
+namespace NServiceBus.Core.Tests.Encryption
+{
+    using System;
+    using System.Configuration;
+    using System.IO;
+    using System.Linq;
+    using NServiceBus.Config;
+    using NUnit.Framework;
+
+    [TestFixture]
+    public class ConfigureRijndaelEncryptionServiceTests
+    {
+
+        [Test]
+        public void Can_read_from_xml()
+        {
+            var xml =
+@"<?xml version='1.0' encoding='utf-8' standalone='yes'?>
+<configuration>
+    <configSections>
+        <section 
+            name='RijndaelEncryptionServiceConfig' 
+            type='NServiceBus.Config.RijndaelEncryptionServiceConfig, NServiceBus.Core'/>
+</configSections>
+<RijndaelEncryptionServiceConfig Key='key1'>
+  <ExpiredKeys>
+    <add Key='key2' />
+    <add Key='key3' />
+  </ExpiredKeys>
+</RijndaelEncryptionServiceConfig>
+</configuration>";
+
+            var section = ReadSectionFromText<RijndaelEncryptionServiceConfig>(xml);
+            var keys = section.ExpiredKeys.Cast<RijndaelExpiredKey>()
+                .Select(x=>x.Key)
+                .ToList();
+            Assert.AreEqual("key1", section.Key);
+            Assert.AreEqual(2,keys.Count);
+            Assert.Contains("key2",keys);
+            Assert.Contains("key3",keys);
+        }
+
+        static T ReadSectionFromText<T>(string s) where T: ConfigurationSection
+        {
+            var xml = s.Replace("'", "\"");
+            var tempPath = Path.GetTempFileName();
+            try
+            {
+                File.WriteAllText(tempPath, xml);
+
+                var fileMap = new ExeConfigurationFileMap
+                {
+                    ExeConfigFilename = tempPath
+                };
+
+                var configuration = ConfigurationManager.OpenMappedExeConfiguration(fileMap, ConfigurationUserLevel.None);
+                return (T) configuration.GetSection(typeof(T).Name);
+            }
+            finally
+            {
+                if (File.Exists(tempPath))
+                {
+                    File.Delete(tempPath);
+                }
+            }
+        }
+
+        [Test]
+        public void Should_throw_for_whitespace_keys_in_config()
+        {
+            var config = new RijndaelEncryptionServiceConfig
+            {
+                ExpiredKeys = new RijndaelExpiredKeyCollection
+                {
+                    new RijndaelExpiredKey
+                    {
+                        Key = " "
+                    }
+                }
+            };
+            var exception = Assert.Throws<Exception>(() => ConfigureRijndaelEncryptionService.ExtractExpiredKeysFromConfigSection(config));
+            Assert.AreEqual("The RijndaelEncryptionServiceConfig has a 'ExpiredKeys' property defined however some keys have no data.", exception.Message);
+        }
+
+        [Test]
+        public void Should_throw_for_null_keys_in_config()
+        {
+            var config = new RijndaelEncryptionServiceConfig
+            {
+                ExpiredKeys = new RijndaelExpiredKeyCollection
+                {
+                    new RijndaelExpiredKey()
+                }
+            };
+            var exception = Assert.Throws<Exception>(() => ConfigureRijndaelEncryptionService.ExtractExpiredKeysFromConfigSection(config));
+            Assert.AreEqual("The RijndaelEncryptionServiceConfig has a 'ExpiredKeys' property defined however some keys have no data.", exception.Message);
+        }
+
+        [Test]
+        public void Should_for_duplicate_between_key_and_keys_in_config()
+        {
+            var config = new RijndaelEncryptionServiceConfig
+            {
+                Key = "a",
+                ExpiredKeys = new RijndaelExpiredKeyCollection
+                {
+                    new RijndaelExpiredKey
+                    {
+                        Key = "a"
+                    }
+                }
+            };
+            var exception = Assert.Throws<Exception>(() => ConfigureRijndaelEncryptionService.ExtractExpiredKeysFromConfigSection(config));
+            Assert.AreEqual("The RijndaelEncryptionServiceConfig has a 'Key' that is also defined inside the 'ExpiredKeys'.", exception.Message);
+        }
+
+        [Test]
+        public void Duplicates_should_be_skipped()
+        {
+            var config = new RijndaelEncryptionServiceConfig
+            {
+                ExpiredKeys = new RijndaelExpiredKeyCollection
+                {
+                    new RijndaelExpiredKey
+                    {
+                        Key = "a"
+                    },
+                    new RijndaelExpiredKey
+                    {
+                        Key = "a"
+                    }
+                }
+            };
+            var keys = ConfigureRijndaelEncryptionService.ExtractExpiredKeysFromConfigSection(config);
+
+            Assert.That(new[]{"a"}, Is.EquivalentTo(keys));
+        }
+    }
+
+}