Reputation: 62846
How to encrypt a file in Windows using the current user credentials without EFS?
I would like to encrypt a file using my domain account credentials and check it in into the source control. I would like to have the following functionality:
- Anyone can check out the encrypted file.
- The decryption procedure only asks for the password if the account attempting to decrypt the file is not mine. Alternatively, it never asks for a password and always uses the credentials of the account executing the command. if that account is not mine, then the decryption should fail.
I am wondering if there is anything out of the box doing what I need? If not, how would you implement such a scheme?
EDIT
Allow me to clarify. My password is not checked in into the source control. The decryption procedure should be able to use my credentials simply because I am logged in.
Motivation
The build servers needs to incorporate a certain API key into the build procedure. We do not want this API key to lay plain text in the version control. So, we have several options:
- The API key is defined as an environment variable on the Build Servers. This is a configuration headache.
- We encrypt the API key using the credentials of the Build account and check it in into the version control. The idea is that a build server checks the code out and is able to access the API key transparently.
We are not seeking a bullet proof routine, after all this is all inside the private network. So, if there is a limited group of users who know the build account credentials, then they will be able to decrypt the API key. But the majority of the developers do not have the build account access and will not be able to decrypt the API key.
I am open to other suggestions.
Upvotes: 1
Views: 659
Answers (1)
Reputation: 12915
On windows, you use the DPAPI:
https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata
For example:
import win32crypt
blob = win32crypt.CryptProtectData(data, None, None, None, None, 0)
data = win32crypt.CryptUnprotectData(blob, None, None, None, 0)
This should work fine.
Upvotes: 1
Related Questions
- How can I develop for iPhone using a Windows development machine?
- How can I redirect Windows cmd standard output and standard error to a single file?
- How to upgrade Git on Windows to the latest version
- How do I get current date/time on the Windows command line in a suitable format for usage in a file/folder name?
- Simple way to encode a string according to a password?
- How can I update the current line in a C# Windows Console App?
- How do I get the current username in Windows PowerShell?
- How to encrypt bytes using the TPM (Trusted Platform Module)
- How do I get the application exit code from a Windows command line?
- How to encrypt user data in Firebase