4

It may be that security is a more apt location for this but I'll ask it here first.

If I want to encrypt some plaintext using DPAPI I have two scope options, CurrentUser and LocalMachine. Assume I want to encrypt data that will need decrypting by another user is there a way to do that using some functions that are in .NET?

It'd be nice if there was an overload of the ProtectedData.Protect method, something like:

ProtectedData.Protect(byte[] plaintextBytes, byte[] salt, UserInformation userInformation);

where UserInformation is just a POCO with properties for the domain, user name and password.

The use case here would be a service or a scheduled task running under the auspices of an account other than that of the logged on (interactive) user, but that would need to be installed by another user.

I could write a utility to encrypt the string, then use the RunAs functionality to run it, but is there way, other than this - if I have the domain, user name and password of the user - of doing what I need?

EJoshuaS - Stand with Ukraine
  • 11,977
  • 56
  • 49
  • 78
noonand
  • 2,763
  • 4
  • 26
  • 51
  • How about using machine scope and specifying the users password (hashed or PBKDF2 derived) as the additional entropy value the API allows you to specify? Failing that you could try impersonation via LogonUser but as there is no documented way to do it there are no guarantees. – Alex K. Sep 13 '17 at 10:35
  • @AlexK. Thanks but using LogonUser is pretty much the same as RunAs but with more programming effort – noonand Sep 14 '17 at 10:01
  • Did you ever find an answer to this? I have the same problem. (I edited to "bump" the question to recent activity, hopefully that's ok). – EJoshuaS - Stand with Ukraine Dec 18 '19 at 19:37

0 Answers0