Introduction
Data Protection using DPAPI on managed code needs to be done using C++ unmanaged code or by writing some wrapper code, as many of us have done. Data Protection is available in VS2005 by using some simple-to-use static methods: "ProtectedMemory::Protect", "ProtectedMemory::Unprotect", "ProtectedData::Protect", and "ProtectedData::Unprotect" located in the "System::Security::Cryptography" namespace. I have taken some time to define a class that I called "Secret" that hides many implementation details with the intention of making working with those methods as simple as it can be. For example:
int main(array<System::String ^> ^args)
{
String ^s = L"this is a sample and a long one it is";
::Security::ISecret ^a =
(::Security::ISecret^)(gcnew ::Security::Secret());
a->ProtectMemory(s) ;
a->UnprotectMemory();
System::Console::WriteLine(a->ToString());
String ^entropy=L"test", ^fpath=L"c:/temp/test.dat" ;
a->ProtectDataToFile(s,entropy,fpath) ;
a->UnprotectDataFromFile(entropy,fpath) ;
System::Console::WriteLine(a->ToString());
return 0;
}
You will soon find that keeping secrets with the "Secret" class can be a bit more complex if you like to influence the "Scope" of your secret. For that reason I also abstracted out the DPAPI enumerators and provided a single enumerator class as follows:
public enum class ProtectionScope
{
...
ProtectMemoryCrossProcess = 1,
ProtectMemorySameLogon = 2,
ProtectMemorySameProcess = 3,
ProtectDataCurrentUser = 10,
ProtectDataLocalMachine = 11,
...
} ;
To change the scope just do the following:
a->Scope = ProtectionScope::ProtectMemoryCrossProcess ;
I encourage the reader to lookup the DPAPI MSDN articles and use it to keep data secure in their applications. Search for DPAPI and "ProtectedMemory" to get to those articles.
I'd also like that anyone interested in the "Secret" class use it, and if improvements are done, keep me posted of those. Also if there are any recommendations (the good and the bad) send me those as well.
