5

I know that CryptProtectData function crypts data using windows user's password, I can decrypt it using CryptUnprotectData function when I am logged in crypter user, how is possible to decrypt data using only password and not logged in user?

user3557176
  • 107
  • 1
  • 1
  • 5

2 Answers2

6

CryptProtectData uses an encryption algorithm which derives its key from environment variables such as the current machine ID and user credentials. This also implies that you need to be the encrypting user to decrypt in most cases.

There is a small caveat, however, where you can bypass the user credentials getting into the make up of the key; but sadly the best you can do is encrypt something that can be decrypted by any user on the same machine.

As presented in the CryptProtectData documentation, you can set the dwFlags to "CRYPTPROTECT_LOCAL_MACHINE" (dwFlags being an enum, you can simply set it to a uint 0). Just be sure to also set dwFlags to uint(0) when you call CryptUnprotectData on your encrypted stuff and the two functions will be perfectly symmetric and work fine with each other. I have personally tried this and can attest that it works.

Yes, this whole needing the same machine system gets really annoying, but it is by far the securest way to encrypt something and be sure no other computer in the world can decrypt it.

chwarr
  • 6,777
  • 1
  • 30
  • 57
aznashwan
  • 76
  • 1
  • 4
  • pssh, so all the program has to do is be run under the context of the user and it'll be able to decrypt the password for a given hash? – pythonian29033 Jul 15 '16 at 13:23
  • @pythonian29033, `CryptProtectData` can be provided optional [`pOptionalEntropy`](https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata#parameters) that will also be needed to decrypt. Thus, it would need to be the same user _and_ the same additional entropy to successfully decrypt the data. Additional entropy could be a password the user has to type. – chwarr May 28 '23 at 04:07
1

If you need to protect something only with password, consider using CryptGenKey and CryptEncrypt functions instead (samples provided at the bottom of the page for both encrypting and decrypting a file).

CryptProtectData can use the CRYPTPROTECT_LOCAL_MACHINE flag, but that means any user will decrypt. Using CRYPTPROTECT_LOCAL_MACHINE basically does not protect anything at the user level, it simply makes the data protected on machine level (and even so, an user with a roaming profile can decrypt as well).

chwarr
  • 6,777
  • 1
  • 30
  • 57
Cristian Amarie
  • 160
  • 1
  • 8