Click here to Skip to main content
15,883,901 members
Search within:


Articles / Programming Languages / C++/CLI
 
Article

Keeping Secrets with Data Protection API (DPAPI) in .NET

Rate me:
Please Sign up or sign in to vote.
2.67/5 (3 votes)
5 Oct 20051 min read 32.1K   370   9   1
A full blown sample of keeping data secret in memory or on a file.

Introduction

Data Protection using DPAPI on managed code needs to be done using C++ unmanaged code or by writing some wrapper code, as many of us have done. Data Protection is available in VS2005 by using some simple-to-use static methods: "ProtectedMemory::Protect", "ProtectedMemory::Unprotect", "ProtectedData::Protect", and "ProtectedData::Unprotect" located in the "System::Security::Cryptography" namespace. I have taken some time to define a class that I called "Secret" that hides many implementation details with the intention of making working with those methods as simple as it can be. For example:

int main(array<System::String ^> ^args)
{
    // secret info to protect
    String ^s = L"this is a sample and a long one it is";

    // get the secret instance
    ::Security::ISecret ^a =
       (::Security::ISecret^)(gcnew ::Security::Secret());

    // keep your secret in memory
    a->ProtectMemory(s) ;
    a->UnprotectMemory();
    System::Console::WriteLine(a->ToString());


    // some user given / known data (entroy) to salt secret and
    // target file to store secret into
    String ^entropy=L"test", ^fpath=L"c:/temp/test.dat" ;

    // keep your secret in a file
    a->ProtectDataToFile(s,entropy,fpath) ;
    a->UnprotectDataFromFile(entropy,fpath) ;
    System::Console::WriteLine(a->ToString());

    return 0;
}

You will soon find that keeping secrets with the "Secret" class can be a bit more complex if you like to influence the "Scope" of your secret. For that reason I also abstracted out the DPAPI enumerators and provided a single enumerator class as follows:

public enum class ProtectionScope
{
   ...

   // memory protection

   ProtectMemoryCrossProcess = 1,
   ProtectMemorySameLogon    = 2,
   ProtectMemorySameProcess  = 3,

   // data protection

   ProtectDataCurrentUser  = 10,
   ProtectDataLocalMachine = 11,

   ...
}  ;

To change the scope just do the following:

a->Scope = ProtectionScope::ProtectMemoryCrossProcess ;

I encourage the reader to lookup the DPAPI MSDN articles and use it to keep data secure in their applications. Search for DPAPI and "ProtectedMemory" to get to those articles.

I'd also like that anyone interested in the "Secret" class use it, and if improvements are done, keep me posted of those. Also if there are any recommendations (the good and the bad) send me those as well.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


Written By
esob
Web Developer
Puerto Rico Puerto Rico
C/C++ programmer since 1984.

Comments and Discussions

 
First Prev Next
QuestionProblem in Scope? Pin
matrixprogrammer5-Sep-07 17:14
matrixprogrammer5-Sep-07 17:14 
Hi, I've used your Secret class and I'm loving it.
I have a problem though, when I call my console program say, "encrypt.exe"
from another application using "CreateProcess()" API, I am not able to decrypt
the file I encrypted with "encrypt.exe". Do I have to set the Scope property
for this to work? Or is it not supported? Please advise. Thank you.


Feed your mind...
Last Visit: 31-Dec-99 18:00     Last Update: 23-Apr-24 1:51Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 5 Oct 2005

Article Copyright 2005 by esob
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-04-02:1