How to protect secret from other programs in Windows

Question

Is there a way to securely save sensitive data, such as AES encryption key, in Windows? I'd like to make the data available only to my program. I know that DPAPI (CryptProtectData / CryptUnprotectData) protects my data from the access from other user's process, but it doesn't protect from unwanted program once it is ran by the same user.

I was hoping there's some API that automatically uses calling process image file's information (such as the hash of the image file) to protect / unprotect the data, but I couldn't find such API in MSDN.

Answer 1

No, there's not. Data belongs to a user, not a program.

It makes a certain amount of sense for an OS to restrict privileges of a particular program at the request of the user (program can use only a subset of the user's total abilities), but it would break security for a program to have more privilege than the user running it.

Generally, for a user to perform operations not permitted by the user account, then some service with greater privilege needs to perform the operation at the user's request. You could use this approach, for example, to use the decryption key on behalf of the user's program, and only decrypt a limited amount of data per day for that user. But you can't release the key to the user only if they use the program you've blessed -- even in a service/request model, the user can use any program of their choice to make the request.

And the service itself cannot hide data from a sufficiently privileged user (owner of the computer). If you require that, then the service and secret data need to be kept on a server under your control.