1

In the documentation about the CryptProtectData function Microsoft tells to only use CryptProtectData with small buffers.

This call can be slow and a memory hog, and unreliable. Use only with small buffers.

CryptProtect/UnprotectData makes a call across RPC to the LSA where the actual encryption or decryption is done and RPC has upper limits on how much data can be passed. A general rule of thumb for encryption of large amounts of data is to protect the bulk with a symmetric key and then protect the symmetric key using CryptProtectData. Decryption is just a reversal and you’ll find better performance (avoid costly RPC operations) and are usually just as secure (dependent on symmetric algorithm used for the large block of data).

So what is this upper limit? Can I secure multiple passwords with a length of 256 Byte each with it?

Mormegil
  • 7,955
  • 4
  • 42
  • 77
Mare Infinitus
  • 8,024
  • 8
  • 64
  • 113
  • That's not necessarily part of the documentation. That blurb is something added by a Social user. I don't see a way of knowing exactly what is "small" since it was one person's unknown definition of "small". But I would infer it means, "use with a paragraph sized string, not the entire newspaper". – TyCobb Oct 09 '14 at 22:07
  • ProtectedData as the DPAPI wrapper in C# does not make any assumptions about the size of data to protect in the more official version of the documentation. http://msdn.microsoft.com/en-US/en-en/library/system.security.cryptography.protecteddata%28v=vs.110%29.aspx – Mare Infinitus Oct 10 '14 at 05:44

0 Answers0