0

There is some confidential data of user that I am encrypting using DPAPI. This encrypted data is being stored in a file and is placed in %LOCALAPPDATA% folder.

How can I prevent other processes from accessing that file, since any other process running in the user session can decrypt it. Does windows have some provision to facilitate my requirement or is this a path that should not be pursued to protect the data?

Wander3r
  • 1,801
  • 17
  • 27
  • 1
    Windows security is based around users rather than processes. You can secure things for use by specific users or groups. You cannot secure things for specific processes. – David Heffernan Feb 07 '19 at 16:04
  • @DavidHeffernan Are you saying that this cannot be done at all? – Wander3r Feb 07 '19 at 16:13
  • That's precisely what I am saying – David Heffernan Feb 07 '19 at 16:19
  • Maybe you could make it as answer? I would still like to get some suggestions to see if there are any options in making my data more secure for other processes to decrypt. – Wander3r Feb 07 '19 at 16:33
  • I'm sure that there are existing questions that cover this. I'm not sure adding another answer does much. – David Heffernan Feb 07 '19 at 16:35
  • Why not protect using a custom encrypted storage? Create your password-protected data yourself, with a password hardcoded in your app. Not against hacking, but will prevent other apps decrypt easily. Otherwise, ask the user for credentials. – Michael Chourdakis Feb 07 '19 at 17:30
  • If it's only while your process is executing, you can open the files exclusively, i.e. without read, write, or delete sharing. That's limited to a single File object, but the handle can be duplicated if needed. – Eryk Sun Feb 07 '19 at 20:52
  • If it's even while your process isn't executing, then one option would be to redesign your architecture around a service. Since Vista, Windows supports virtual service SIDs that can be used to secure objects. Create a directory in `%ProgramData%` for your service and a secure subdirectory for each user, named by SID string, not user name. Do not create a folder in `%LocalAppData%` that the user can't access. – Eryk Sun Feb 07 '19 at 20:55
  • @Michael yes.. looks like some "password" protecting the data seems to be the way to go. – Wander3r Feb 08 '19 at 05:37
  • @eryksun do you have link for the "virtual service SIDs"? I can't change my process to a service, but would like to read more on that to see if I can leverage that capability through another service I have. – Wander3r Feb 08 '19 at 05:38
  • By 'virtual' SID, I mean that the service SID is derived from the service's virtual account name, which takes the form "NT SERVICE\". Get the SID from the name via `LookupAccountName` or as a string on the command line via `sc.exe showsid `. Refer to [Service Changes for Windows Vista](https://learn.microsoft.com/en-us/windows/desktop/Services/service-changes-for-windows-vista). It's called "Service Isolation". – Eryk Sun Feb 08 '19 at 06:22
  • Even if you had this, it wouldn't help. An attacker could just inject code into your process to suck out the data after you decrypt it. If you need to prevent data exfiltration, you cannot let the data enter a process that attackers can manipulate. For example, keep the data in a service and never let the app see it directly. – Raymond Chen Feb 08 '19 at 23:22

0 Answers0