5

Using C# and .NET 4.5:

I am looking for a simple and efficient option to use the windows user and current machine to encrypt/decrypt a string.

The encrypted string can be decrypted on the very same machine with the same logged-in user only.

Other users logged-in to the same machine must not be able to decrypt. The same user logged into another machine must not be able to decrypt.

Back in 2002, I used to use DPAPI to do the similar thing. I expect there is a more modern option in 2016 with .NET 4.5 with single line of API call :)

Update 1:

Based on @Jeroen Mostert response, I understand that DPAPI wrapper class ProtectedData is still relevant.

My question is which one of the following statements is correct in regards to DPAPI? I hope the correct answer is C since that is what I am looking for.

A - DPAPI only uses the current User identity the encryption key

B – DPAPI only used the current machine as the encryption key

C- DPAPI used the current user and the current machine as the encryption key (A and B)

Thank you,

Allan Xu
  • 7,998
  • 11
  • 51
  • 122
  • 2
    Is there a reason why DPAPI doesnt work here? http://stackoverflow.com/questions/14149769/information-on-data-protection-api-dpapi – Wjdavis5 Apr 13 '16 at 15:30
  • 2
    [ProtectedData](https://msdn.microsoft.com/library/system.security.cryptography.protecteddata) is the managed wrapper around DPAPI (which is still quite alive). – Jeroen Mostert Apr 13 '16 at 15:32
  • If you want it only encrypted for file persitence, have a look at https://msdn.microsoft.com/en-us/library/system.io.file.encrypt(v=vs.110).aspx – nozzleman Apr 13 '16 at 16:00
  • Thank you @JeroenMostert . Would you be able to confirm the updated question? – Allan Xu Apr 13 '16 at 16:01
  • @nozzleman isn't that the NTFS encryption feature? That's not what the OP asked here – Panagiotis Kanavos Apr 13 '16 at 16:01
  • @AllanXu you define the scope (User or Machine) with the DataProtectionScope parameter. Isn't *user* enough? DPAPI doesn't use the user name as a key, it *derives* a key based on the user's account. Do you really want a user to only be able to decrypt the data on *one* machine? Even if it crashes? – Panagiotis Kanavos Apr 13 '16 at 16:06
  • @PanagiotisKanavos, I do need a user to only be able to decrypt the data on one machine. It makes perfect sense with my use-case. Do I have the option to make DPAPI use both (User AND Machine) ? The only option comes to my mind is to encrypt is two times, one with the user, then with the machine. But I hope there is a cleaner option. – Allan Xu Apr 13 '16 at 16:12
  • The flags are exclusive, but you *could* encrypt with User then encrypt the encrypted buffer with Machine. – Panagiotis Kanavos Apr 13 '16 at 16:16
  • @PanagiotisKanavos I don't know, i just wanted to point out this possibility ;) I know this isn't what OP asked for, thats why i stated it as a comment, not as an answer. – nozzleman Apr 14 '16 at 06:25

1 Answers1

0

Based on comments, DPAPI is still a valid option.

If the requirement asks to limit the decryption right to a specific user on a specific machine, then we can encrypt the secrets in two steps. We can encrypt with User then encrypt the encrypted buffer with Machine

Allan Xu
  • 7,998
  • 11
  • 51
  • 122
  • Wrong. Something encrypted with User can only be decrypted on the same machine. The same user (i.e. Active Directory credentials) can't decrypt it by logging onto another machine. – Delphi.Boy Oct 16 '20 at 20:39
  • @Delphi.Boy, it has been 4 years since the question. I don't have cycles to go back and verify the answer. A the time of the question, I think I went through a few tests and based on everyone's feedback I though this is the answer. – Allan Xu Oct 18 '20 at 02:35