Using DPAPI with Service Accounts RRS feed

  • Question

  • I'm running a .NET application as part of an ASP.NET implementation. I have a user story calling for the ability to encrypt files coming into the app (and decrypt on the way out). I have implemented encryption, but I need a place to store the encryption key. If I understand DPAPI correctly, it requires a logged in user to manage keys. This app runs under a service account, not a user account.

    How do I securely store keys in Windows using service accounts? Is DPAPI even an option?

    Director of Security

    Wednesday, February 15, 2012 8:21 PM

All replies

  • You can use CryptProtectData [dpapi encryption] to protect to the local machine. This means that any user logged onto the machine can decrypt the data with CryptUnprotectData. If your application is running on a web server where only admins can login then this may be acceptable. You will need to analyze the threats to make this determination.

    Using dpapi to encrypt to the user [application pool context in your case] may be problematic for some types of service accounts because there may not be a permanent profile. Dpapi stores its master keys under the user profile directory.


    Thursday, February 16, 2012 5:43 AM