使用 .Net 持久存储加密数据 [英] Persistent storage of encrypted data using .Net

问题描述

我需要在应用程序运行之间存储加密数据(一些小字符串).我不希望用户每次启动应用程序时都提供密码.IE.毕竟它归结为安全地存储加密密钥.

I need to store encrypted data (few small strings) between application runs. I do not want the user to provide a passphrase every time (s)he launches the application. I.e. after all it goes down to storing securely the encryption key(s).

我正在研究 RSACryptoServiceProvider 并使用 PersistentKeyInCsp，但我不确定它是如何工作的.关键容器在应用程序运行或机器重启之间是否持久?如果是，是用户特定的，还是机器特定的.IE.如果我将加密数据存储在用户的漫游配置文件中，如果用户登录不同的机器，我可以解密数据吗?

I was looking into RSACryptoServiceProvider and using PersistentKeyInCsp, but I'm not sure how it works. Is the key container persistent between application runs or machine restarts? If yes, is it user specific, or machine specific. I.e. if I store my encrypted data in user's roaming profile, can I decrypt the data if the user logs on a different machine?

如果上述方法不起作用，我有什么选择(我需要处理漫游配置文件).

If the above does not work, what are my options (I need to deal with roaming profiles).

推荐答案

数据保护 API (DPAPI) 完全符合您的要求.它使用机器或(更好)用户的凭据作为加密密钥，为任意数据提供对称加密.您不必担心管理密钥；Windows 会为您处理这些.如果用户更改了他的密码，Windows 将使用用户的新密码重新加密数据.

The Data Protection API (DPAPI) does exactly what you want. It provides symmetric encryption of arbitrary data, using the credentials of the machine or (better) the user, as the encryption key. You don't have to worry about managing the keys; Windows takes care of that for you. If the user changes his password, Windows will re-encrypt the data using the user's new password.

DPAPI 在 .NET 中通过 System.Security.Cryptography.ProtectedData 类公开:

DPAPI is exposed in .NET with the System.Security.Cryptography.ProtectedData class:

byte[] plaintextBytes = GetDataToProtect();
byte[] encodedBytes = ProtectedData.Protect(plaintextBytes, null, DataProtectionScope.CurrentUser);

Protect 方法的第二个参数是一个可选的熵字节数组，它可以用作附加的特定于应用程序的秘密".

The second parameter of the Protect method is an optional entropy byte array, which can be used as an additional application-specific "secret".

要解密，请使用 ProtectedData.Unprotect 调用:

To decrypt, use the ProtectedData.Unprotect call:

byte[] encodedBytes = GetDataToUnprotect();
byte[] plaintextBytes = ProtectedData.Unprotect(encodedBytes, null, DataProtectionScope.CurrentUser);

DPAPI 与漫游配置文件一起正常工作(如此处所述)，但您需要将加密数据存储在一个地方(网络共享，IsolatedStorage with IsolatedStorageScope.漫游等)，您的各种机器都可以访问.

DPAPI works correctly with roaming profiles (as described here), though you'll need to store the encrypted data in a place (network share, IsolatedStorage with IsolatedStorageScope.Roaming, etc.) that your various machines can access.

有关详细信息，请参阅 MSDN 中的 ProtectedData 类.有一份 DPAPI 白皮书这里，提供的信息比以往任何时候都多想要.

See the ProtectedData class in MSDN for more information. There's a DPAPI white paper here, with more information than you'd ever want.

这篇关于使用 .Net 持久存储加密数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！