Data Protection using DPAPI on managed code needs to be done using C++ unmanaged code or by writing some wrapper code, as many of us have done. Data Protection is available in VS2005 by using some simple-to-use static methods: "
ProtectedData::Protect", and "
ProtectedData::Unprotect" located in the "
System::Security::Cryptography" namespace. I have taken some time to define a class that I called "
Secret" that hides many implementation details with the intention of making working with those methods as simple as it can be. For example:
int main(array<System::String ^> ^args)
String ^s = L"this is a sample and a long one it is";
::Security::ISecret ^a =
String ^entropy=L"test", ^fpath=L"c:/temp/test.dat" ;
You will soon find that keeping secrets with the "
Secret" class can be a bit more complex if you like to influence the "Scope" of your secret. For that reason I also abstracted out the DPAPI enumerators and provided a single enumerator class as follows:
public enum class ProtectionScope
ProtectMemoryCrossProcess = 1,
ProtectMemorySameLogon = 2,
ProtectMemorySameProcess = 3,
ProtectDataCurrentUser = 10,
ProtectDataLocalMachine = 11,
To change the scope just do the following:
a->Scope = ProtectionScope::ProtectMemoryCrossProcess ;
I encourage the reader to lookup the DPAPI MSDN articles and use it to keep data secure in their applications. Search for DPAPI and "
ProtectedMemory" to get to those articles.
I'd also like that anyone interested in the "
Secret" class use it, and if improvements are done, keep me posted of those. Also if there are any recommendations (the good and the bad) send me those as well.