DPAPI doesn't store any persistent data for itself; instead, it simply receives [[plaintext]] and returns [[ciphertext]] (or vice versaconversely).
DPAPI security relies upon the Windows operating system's ability to protect the Mastermaster Keykey and [[RSA (algorithm)|RSA]] private keys from compromise, which in most attack scenarios is most highly reliant on the security of the end user's credentials. A main encryption/decryption key is derived from user's password by [[PBKDF2]] function.<ref>{{cite web|title=Windows Password Recovery -– DPAPI Master Key analysis|url=http://www.passcape.com/windows_password_recovery_dpapi_master_key|website=Passcape.com|access-date=2013-05-06}}</ref> Particular data [[binary large object]]s can be encrypted in a way that [[Salt (cryptography)|salt]] is added and/or an external user-prompted password (aka "Strong Key Protection") is required. The use of a salt is a per-implementation option -{{snd}} i.e. under the control of the application developer -{{snd}} and is not controllable by the end user or system administrator.
Delegated access can be given to keys through the use of a [[COM+]] object. This enables [[Internet Information Services|IIS]] [[web servers]] to use DPAPI.
