Reputation: 22255
How secure is encryption provided by CryptProtectData API?
Say, if I encrypt some text using CryptProtectData API without specifying the CRYPTPROTECT_LOCAL_MACHINE flag. If I understood it correctly, doing so will allow only the user that my application was running under to decrypt it.
Let's assume that I saved the resulting ciphertext data in HKCU registry key for my application. So obviously some other users (from other user accounts) will be able to read that data from registry.
My question is, will any other user on that computer be able to decrypt it without having the initial user log in to that machine?
Upvotes: 1
Views: 1509
Answers (1)
Reputation: 2447
Certainly, no other user can decrypt it. User master key is needed to decrypt the data and it is created by user password. So copying the registry info doesn't allow to decrypt the data.
Master Key, created and encrypted with user's password, is stored in a separate file in the Master Key storage folder along with other system data. User's Master Keys are stored in %APPDATA%/Microsoft/Protect/%SID%, where %APPDATA% is the Application Data directory.
Upvotes: 3
Related Questions
- How to decrypt data which is crypted by CryptProtectData function?
- Simple AES encryption using WinAPI
- Suitable alternative to CryptEncrypt
- Encrypted API Call failing
- How secure is ProtectedData.Protect (DPAPI)?
- Error with CryptDecrypt winapi function?
- How does the EncryptFile function work and why can I still the contents?
- Encrypting data using Win32/MFC
- Encrypting using user's password
- CryptEncrypt() API