Windows DPAPI in AWS AMI fails with Access is denied

Question

We are using an AWS EC2 Windows AMI to do our builds from a Jenkins job. Our libraries use the Windows Cryptography API: Next Generation (NG) (DPAPI) to protect sensitive data from C# and C++ components.

Our builds succeed without any issue, but our unit test trying to use this API in the AMI instance keeps on failing. On the C# side we get the following exception (almost the same on C++ side):

Access is denied.
Source: System.Security
HRESULT: -2147024891
Stack:
   at System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope)

We could get the Unit Tests passing with PsExec, but the output is lost and the step that normally takes about 20 minutes now takes more than 4 hours.

From some reading up it seems like the WinRM is the cause of the issue, the PsExec seems to verify that.

Are there any other options instead of PsExec we can try to allow the unit tests to use the DPAPI inside the AMI?

PS: We did try to sync the master keys with CryptProtectData(CRYP TPROTECT_CRED_SYNC) but that did not work.

score 0 · Answer 1 · answered Feb 23 '21 at 05:15

0

Pass DataProtectionScope.LocalMachine to ProtectedData.Protect() for the scope. Seems like you are passing DataProtectionScope.CurrentUser which requires the same user for Protect and Unprotect. LocalMachine allows any admin user to UnProtect().

answered Feb 23 '21 at 05:15

JD Brennan

992
1
10
20

Windows DPAPI in AWS AMI fails with Access is denied

1 Answers1