Microsoft OS (XP or later) and .NET provides finest way to secure your data for storage and in-memory. This can be accomplished using following classes from Data Protectection API
ProtectedData
ProtectedMemory
Above mentioned classes can be found in System.Security.Cryptography
namespace. Also known as part of DPAPI, they are available since .NET 2.0
ProtectedData
ProtectedData
can encrypt and decrypt your data symmetrically.
To encrypt data following code is used:
ProtectedData.Protect(byteArrayOfOriginalData, additionalEntropyOrSalt, DataProtectionScopeValue);
To decrypt data following code is used:
ProtectedData.Unprotect(byteArrayOfEncryptedData, additionalEntropyOrSalt, DataProtectionScopeValue);
In above code snippets additionalEntropyOrSalt
can be some custom key / salt value / entropy data that you can add to the encryption / decryption process to increase security strength.
DataProtectionScope
in above code snippets can have any of the two values:
- CurrentUser - Allows decryption of encrypted data in current user context only.
- LocalMachine - Allows decryption of encrypted data in current machine context (all user).
This protection scope can be used wisely to restrict access / decryption of your secured data based on your needs.
The key used for encrypting / decryption your data is created and managed by Windows automatically based on user credential / machine parameters. This key and encrypted data is updated as and when the parameters that affect the key generation are updated.
This scope controls and restrict unauthorized access to your sensitive data and the key management is automatically managed by the OS on that machine based on scope, this makes it very handy and reliable to use.
ProtectedData is used to secure data that you wish to persist on disk or save it for use later.
ProtectedMemory
ProtectedMemory
can encrypt and decrypt sensitive information you keep in memory of your application symmetrically.
To encrypt in-memory data following code is used:
ProtectedMemory.Protect(byteArrayOfOriginalData, MemoryProtectionScopeValue);
To decrypt in-memory data following code is used:
ProtectedMemory.Unprotect(byteArrayOfEncryptedData, MemoryProtectionScopeValue);
While encrypting byteArrayOfOriginalData
the resultant encrypted data will be stored in the same byte array. Thus you protect sensitive data in-memory of your application and makes it unreadable by any other application that can trace or read your application at runtime.
MemoryProtectionScope
in above code snippets can have any of the three values:
- CrossProcess - Allows decryption of encrypted in-memory data by code in any process.
- SameLogon - Allows decryption of encrypted in-memory data by any process running in current user context scope only.
- SameProcess - Allows decryption of encrypted in-memory data only by the same process which encrypted data.
References:
- MSDN - ProtectedData
- MSDN - ProtectedMemory
- DPAPI - Wikipedia
- MSDN Article on - Windows Data Protection
Happy coding !!