0

I am employing DPAPI to encrypt my asp.net config file. From my brief reading of DPAPI, I know that it uses Windows Password as the key to do the encryption. The questions, whose windows password?

If I have a asp.net web app, and I hook the config file encryption in application_start event, will it use my application pool identity (Network Service) password?

If I have a desktop console app, and I have a Windows Scheduler to run this app regularly, whose password will DPAPI use to encrypt/decrypt the config file?

Cœur
  • 37,241
  • 25
  • 195
  • 267
Haoest
  • 13,610
  • 29
  • 89
  • 105

1 Answers1

1

DPAPI accepts three parameters when you encrypt or decrypt...

  1. The Data (byte array)
  2. Optional Entropy (byte array) i.e. the salt
  3. The 'scope' (System.Security.Cryptography.DataProtectionScope.CurrentUser or System.Security.Cryptography.DataProtectionScope.LocalMachine)

As the 'entropy' is specifically named 'optional', if it is not provided then ONLY the User Credentials or the Machine credentials are used to encrypt, meaning it would not be able to encrypt running under a different user or on a different machine, whichever 'scope' you've used.

I call the optional entropy 'salt' as it is a commonly use term in cryptography for a 'secondary' passphrase that it mixes with the user or machine credentials to then require a passphrase AND specific user or machine credentials

Short answer : The 'password' used is derived from the User Credentials or the Machine credentials

Ninjanoel
  • 2,864
  • 4
  • 33
  • 53