-1

How can I use both LocalMachine and CurrentUser at the same time in Data Protection API Scope? I would like to enhance the security.

Remi Guan
  • 21,506
  • 17
  • 64
  • 87
Southsouth
  • 2,659
  • 6
  • 32
  • 39
  • How does using both "enhance" the security? Pick one based on your use case and trust that it is secure. One of the reasons the API is so simple is to make it easy to use and hard to screw up. – John Koerner Feb 26 '16 at 03:12

1 Answers1

0

You cannot. They have different purposes. With LocalMachine protection all secrets are protected (eventually) by the 20 byte LSA-secret DPAPI_SYSTEM which is the same for all users on a given machine. So anyone one the machine can decrypt the blob of data, while logged in.

With CurrentUser, only the current user (or admins in a Windows domain that the machine belongs too), when logged in, can decrypt the data, because the secret is protected by a hash value of his login password.

So adding LocalMachine only decreases the security in that more people (potentially) have access to it. And the current setup of the crypto in the system (which is hidden from the programmer) doesn't allow for it at all.

The only way I could use both, is to use the DPAPI twice: use LocalMachine to protect the secret, to some blob B, and then protect that new blob with the CurrentUser flag to a new final blob. (the other order is also possible.) But it enhances nothing: the same user can still access it, it only takes twice as long now.

Henno Brandsma
  • 2,116
  • 11
  • 12