ProtectedData.Protect and hardware changes

Question

I've just been watching some Microsoft Virtual Academy videos on C# and there was a lesson on encryption. At some point the lecturers used a ProtectedData.Protect method. Last argument is a flag that shows the level of access - only current users or local machine.

They also said if one stoles your HDD then he can't get access to the encrypted files. At this point I suppose that this encryption depends on some hardware combination of current machine, isn't it?

So when you remove an HDD even with the OS that has encrypted files, you still can't access them. If so, what if I change some of my PC's hardware? Will it affect possibility of decrypting previously encrypted files? And if I am totally wrong and missed something very important and misunderstand the whole conception, can anyone explain it in a few words?

Answer 1

Under the hood ProtectedData.Protect uses a native library crypt32.dll which is an interface to Windows Data Protection API. As far I know in order to protect/encrypt data DPAPI uses something known as MasterKey which is randomly generated and it is stored on the disk - it means that changes in your PC hardware will not affect possibility to decrypt previously encrypted files.

As to the situation when your disk was stolen. My understanding is that if DataProtectionScope.LocalMachine mode was used, then the one who stole your disk would be able to gain access to your data. Be noted what documentation says about this mode:

We highly recommended that this flag not be used on workstations to protect user's data. It does make sense, however, for a server process to use the flag on a server where untrusted users are not allowed to logon. It also makes sense for a local machine process to use the flag to protect data to be stored off the machine or on a shared drive.

See also this question.