Revision as of 07:19, 20 October 2022 edit Processus Thief (talk \| contribs) 4 edits add ___domain backup keys infos Tags: Visual edit: Switched Disambiguation links added ← Previous edit		Revision as of 21:06, 19 November 2022 edit undo Nick Number (talk \| contribs) Autopatrolled, Extended confirmed users, File movers, Pending changes reviewers, Rollbackers 200,155 edits repaired link(s) to disambiguation pages (you can help) Next edit →
Line 1: '''~~DPAPI (~~Data Protection Application Programming Interface)''' ('''DPAPI''') is a simple [[cryptography\|cryptographic]] [[application programming interface]] available as a built-in component in [[Windows 2000]] and later versions of [[Microsoft Windows]] [[operating system]]s. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by [[Elie Bursztein\|Bursztein]] et al.<ref>{{cite conference\|last=Bursztein\|first=Elie\|last2=Picod\|first2=Jean Michel\|date=2010\|title=Recovering Windows secrets and EFS certificates offline\|book-title=WoOT 2010\|publisher=Usenix\|url=https://elie.net/publication/recovering-windows-secrets-and-efs-certificates-offline/}}</ref> For nearly all [[cryptosystem]]s, one of the most difficult challenges is "[[key management]]"{{snd}} in part, how to securely store the decryption key. If the key is stored in ''[[plain text]]'', then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on. DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's ___domain authentication secrets. Line 15: When a computer is a member of a ___domain, DPAPI has a backup mechanism to allow data deprotection in case the user's password is lost, which is named "Credential Roaming". When installing a new ___domain on a ___domain controller, a public and private key pair is generated, associated with DPAPI. When a master key is generated on a client workstation, the client communicates through an authenticated [[Remote procedure call\|RPC]] call with a ___domain controller to retrieve a copy of the ___domain's public key. The client encrypts the master key with the ___domain controller's public key. Finally, it stores this new backup master key in its AppData directory, just like traditional master key storage. ==Use of DPAPI by Microsoft software==

Data Protection API: Difference between revisions