# Data Protection API

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Data_Protection_API
> Markdown URL: https://mediated.wiki/source/Data_Protection_API.md
> Source: https://en.wikipedia.org/wiki/Data_Protection_API
> Source revision: 1319625828
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Windows API for cryptography

**Data Protection Application Programming Interface** (**DPAPI**) is a simple [cryptographic](/source/Cryptography) [application programming interface](/source/Application_programming_interface) available as a built-in component in [Windows 2000](/source/Windows_2000) and later versions of [Microsoft Windows](/source/Microsoft_Windows) [operating systems](/source/Operating_system). In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by [Bursztein](/source/Elie_Bursztein) et al.[1]

For nearly all [cryptosystems](/source/Cryptosystem), one of the most difficult challenges is "[key management](/source/Key_management)" – in part, how to securely store the decryption key. If the key is stored in *[plain text](/source/Plain_text)*, then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on. DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's domain authentication secrets.

The DPAPI keys used for encrypting the user's [RSA](/source/RSA_(cryptosystem)) keys are stored under %APPDATA%\Microsoft\Protect\{SID} directory, where {SID} is the [Security Identifier](/source/Security_Identifier) of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data.

## Security properties

DPAPI doesn't store any persistent data for itself; instead, it simply receives [plaintext](/source/Plaintext) and returns [ciphertext](/source/Ciphertext) (or conversely).

DPAPI security relies upon the Windows operating system's ability to protect the master key and [RSA](/source/RSA_(algorithm)) private keys from compromise, which in most attack scenarios is most highly reliant on the security of the end user's credentials. A main encryption/decryption key is derived from user's password by [PBKDF2](/source/PBKDF2) function.[2] Particular data [binary large objects](/source/Binary_large_object) can be encrypted in a way that [salt](/source/Salt_(cryptography)) is added and/or an external user-prompted password (aka "Strong Key Protection") is required. The use of a salt is a per-implementation option – i.e. under the control of the application developer – and is not controllable by the end user or system administrator.

Delegated access can be given to keys through the use of a [COM+](/source/COM%2B) object. This enables [IIS](/source/Internet_Information_Services) [web servers](/source/Web_servers) to use DPAPI.

## Active Directory backup keys

When a computer is a member of a domain, DPAPI has a backup mechanism to allow data deprotection in case the user's password is lost, which is named "Credential Roaming". When installing a new domain on a domain controller, a public and private key pair is generated, associated with DPAPI. When a master key is generated on a client workstation, the client communicates through an authenticated [RPC](/source/Remote_procedure_call) call with a domain controller to retrieve a copy of the domain's public key. The client encrypts the master key with the domain controller's public key. Finally, it stores this new backup master key in its AppData directory, just like traditional master key storage.

## Use of DPAPI by Microsoft software

While not universally implemented in all Microsoft products, the use of DPAPI by Microsoft products has increased with each successive version of Windows. However, many applications from Microsoft and third-party developers still prefer to use their own protection approach or have only recently switched to use DPAPI. For example, [Internet Explorer](/source/Internet_Explorer) versions 4.0–6.0, [Outlook Express](/source/Outlook_Express) and [MSN Explorer](/source/MSN_Explorer) used the older Protected Storage (PStore) API to store saved credentials such as passwords etc. [Internet Explorer 7](/source/Internet_Explorer_7) now protects stored user credentials using DPAPI.[3]

- Picture password, PIN and fingerprint in [Windows 8](/source/Windows_8)

- [Encrypting File System](/source/Encrypting_File_System) in Windows 2000 and later

- SQL Server [Transparent Data Encryption](/source/Transparent_Data_Encryption) (TDE) Service Master Key encryption[4]

- [Internet Explorer 7](/source/Internet_Explorer_7), both in the standalone version available for [Windows XP](/source/Windows_XP) and in the integrated versions available in [Windows Vista](/source/Windows_Vista) and [Windows Server 2008](/source/Windows_Server_2008)

- [Microsoft Edge](/source/Microsoft_Edge)

- [Windows Mail](/source/Windows_Mail) and [Windows Live Mail](/source/Windows_Live_Mail)

- Outlook for [S/MIME](/source/S%2FMIME)

- [Internet Information Services](/source/Internet_Information_Services) for [SSL/TLS](/source/Transport_Layer_Security)

- Windows [Rights Management Services](/source/Rights_Management_Services) client v1.1 and later

- [Windows 2000](/source/Windows_2000) and later for [EAP/TLS](/source/Extensible_Authentication_Protocol#EAP-TLS) ([VPN](/source/VPN) authentication) and 802.1x ([WiFi](/source/WiFi) authentication)

- Windows XP and later for stored user names and passwords[5] (aka Credential Manager)

- [.NET Framework 2.0](/source/.NET_Framework_2.0) and later for System.Security.Cryptography.ProtectedData[6]

- Microsoft.Owin (Katana) authentication by default when self-hosting (including cookie authentication and [OAuth](/source/OAuth) tokens)[7][8]

## References

1. **[^](#cite_ref-1)** Bursztein, Elie; Picod, Jean Michel (2010). ["Recovering Windows secrets and EFS certificates offline"](https://elie.net/publication/recovering-windows-secrets-and-efs-certificates-offline/). *WoOT 2010*. Usenix.

1. **[^](#cite_ref-2)** ["Windows Password Recovery – DPAPI Master Key analysis"](http://www.passcape.com/windows_password_recovery_dpapi_master_key). *Passcape.com*. Retrieved 2013-05-06.

1. **[^](#cite_ref-3)** Mikhael Felker (December 8, 2006). ["Password Management Concerns with IE and Firefox, part one"](https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=cd572045-0dfe-4b49-9df6-578cbc441ce5&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments). [SecurityFocus.com](/source/SecurityFocus.com), [Symantec.com](/source/Symantec.com). Retrieved 2010-03-28.

1. **[^](#cite_ref-4)** ["Encryption Hierarchy"](https://msdn.microsoft.com/en-us/library/ms189586(v=sql.110).aspx). *Msdn.microsoft.com*. April 2012. Retrieved 14 October 2017.

1. **[^](#cite_ref-5)** ["What's New in Security for Windows XP Professional and Windows XP Home Edition"](https://technet.microsoft.com/en-us/library/bb457059.aspx). *Technet.microsoft.com*. 11 September 2009. Retrieved 14 October 2017.

1. **[^](#cite_ref-6)** ["ProtectedData Class (System.Security.Cryptography)"](http://msdn2.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx). *Msdn2.microsoft.com*. Retrieved 14 October 2017.

1. **[^](#cite_ref-7)** ["CookieAuthenticationOptions.TicketDataFormat Property (Microsoft.Owin.Security.Cookies)"](http://msdn.microsoft.com/en-us/library/microsoft.owin.security.cookies.cookieauthenticationoptions.ticketdataformat(v=vs.113).aspx). Retrieved 2015-01-15.

1. **[^](#cite_ref-8)** ["OAuthAuthorizationServerOptions.AccessTokenFormat Property (Microsoft.Owin.Security.OAuth)"](http://msdn.microsoft.com/en-us/library/microsoft.owin.security.oauth.oauthauthorizationserveroptions.accesstokenformat(v=vs.113).aspx). 27 October 2015. Retrieved 2018-11-26.

## External links

- ["Le fonctionnement de DPAPI par Processus Thief"](https://web.archive.org/web/20221020071943/https://lestutosdeprocessus.fr/dechiffrement-dpapi.html) (in French). 2022-10-20. Archived from [the original](https://lestutosdeprocessus.fr/dechiffrement-dpapi.html) on 2022-10-20.

- [Windows Data Protection API (DPAPI) white paper by NAI Labs](https://go.microsoft.com/fwlink/?LinkId=89993)

- [Data encryption with DPAPI](http://www.codeproject.com/KB/system/protected_data.aspx) [Archived](https://web.archive.org/web/20080318094847/http://www.codeproject.com/KB/system/protected_data.aspx) 2008-03-18 at the [Wayback Machine](/source/Wayback_Machine)

- [How To: Use DPAPI (User Store) from ASP.NET 1.1 with Enterprise Services](http://msdn.microsoft.com/library/aa302404.aspx)

- [System.Security.Cryptography.ProtectedData in .NET Framework 2.0 and later](http://msdn.microsoft.com/library/system.security.cryptography.protecteddata.aspx)

- [Discussion of the use of MS BackupKey Remote Protocol by DPAPI to protect user secrets](http://msdn.microsoft.com/library/cc201324.aspx)

- [The Windows PStore](http://msdn.microsoft.com/library/bb432403.aspx)

v t e Microsoft APIs and frameworks Graphics and UI Desktop Window Manager Direct2D Direct3D D3D (extensions) GDI / GDI+ WPF Silverlight WinUI Windows Color System Windows Image Acquisition Windows Imaging Component DirectX Graphics Infrastructure (DXGI) Windows Advanced Rasterization Platform WinG Audio DirectMusic DirectSound XACT Speech API XAudio2 Multimedia DirectX Media Objects Video Acceleration Xinput DirectInput DirectShow Managed DirectX Media Foundation XNA Windows Media Video for Windows Web MSHTML JScript VBScript BHO XDR SideBar Gadgets TypeScript Data access Data Access Components (MDAC) ADO ADO.NET ODBC OLE DB Extensible Storage Engine Entity Framework Sync Framework Access Database Engine MSXML OPC Networking Winsock LSP Winsock Kernel Filtering Platform NDIS Windows Rally BITS P2P API MSMQ DirectPlay Communication Messaging API Telephony API WCF Administration and management Win32 console Windows Script Host WMI (extensions) PowerShell Task Scheduler Offline Files Shadow Copy Windows Installer Error Reporting Event Log Common Log File System Component model COM COM+ ActiveX Distributed Component Object Model .NET Framework Libraries Framework Class Library Microsoft Foundation Classes (MFC) Active Template Library (ATL) Windows Template Library (WTL) Device drivers WDM WDF KMDF UMDF WDDM NDIS UAA VxD Security Crypto API CAPICOM Windows CardSpace Data Protection API Security Support Provider Interface (SSPI) .NET ASP.NET ADO.NET Remoting Silverlight TPL WCF WCS WPF WF Software factories Enterprise Library CCF IPC MSRPC Dynamic Data Exchange (DDE) Remoting WCF Accessibility Active Accessibility UI Automation Text and multilingual support DirectWrite Text Services Framework Text Object Model Input method editor Language Interface Pack Multilingual User Interface Uniscribe

---
Adapted from the Wikipedia article [Data Protection API](https://en.wikipedia.org/wiki/Data_Protection_API) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Data_Protection_API?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.