Jump to content

Data Protection API

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Davegb (talk | contribs) at 02:14, 30 April 2006. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

Key Encryption in Windows 2000 and up

DPAPI stands for Data Protection Application Programming Interface. It is a (relatively) simple API available as standard in Microsoft Windows 2000 and up.

For almost all types of encryption, you need a key. A key is a string of characters or bytes that is used to encrypt or decrypt the data. However, when developing secure systems, the question "how do I store the encryption key" often arises. If you store it in "plain text", then anyone that can access the key can access the encrypted data. If you want to encrypt it, it you need a further key, which will also need encrypting, and so on ad infinitum. The DPAPI allows the developer to encrypt keys based on a users profile.

The actual keys are stored under "Application Data\Microsoft\Protect\{SID}", where {SID} is the security identifier of that user. A new key appears to be generated if the existing key hasn't been used for encryption for a while. The keys are used in conjunction with the username, and can only be used by the user the key is stored under.

Delegated access can be given to keys through the use of a COM+ object. This enables IIS web servers to use the API easily. See [1]

Microsoft information is at [2]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Data_Protection_API&oldid=50829233"