Search code examples
c#encryptiondpapikey-management

data encryption and key management in c#


Which route to take, whats the pros and cons, which is more secure..

1) Generate AES key, encrypt the data with it and then encrypt the AES key with RSA, save the encrypted data and encrypted AES key to a file and RSA keypair to a KeyContainer.

2) Or use DPAPI ProtectedData class to encrypt the data and save it to a file and then store the entropy what i used with ProtectedData.Protect() to somewhere.. (maybe allso encrypt it with the RSA, store the RSA keypair to KeyContainer and the encrypted entropy to the file with the data?)

EDIT: Just for more info: We need to secure our applications file system usages. So any file the application stores to the filesystem we want it to be encrypted. The file is most likely used by the same application or another component of the same application stack.


Solution

  • If you are looking for an encryption scheme to protect local application data, then your choice of API depends on if you would need to share the encrypted data between different servers running the same application.

    If only one server would need access to the data, then DPAPI should be good enough for your purposes. The security is provided by the user's credentials, which in this context will be the credentials running your application stack. You can provide an additional entropy (or 'salt') hardcoded into your application to increase the security so that it is not reliant on the end user credentials alone. It is simple to implement and you don't need to deal with exporting/importing keys.

    If multiple servers would need to access the same files / data, then the RSA Key Container method is better. The same key can be exported to multiple servers and they can share the same encrypted files. The key can also be backed up for recovery purposes. You don't have such an option with DPAPI.

    The security in one method is not better than the other, as they use similar schemes and both keys are in the end protected with the user credentials. DPAPI uses credentials to secure the internal RSA keys it uses and Windows will control access to RSA Key Containers by using the credentials as well.