使用的.Net加密数据的持久存储 [英] Persistent storage of encrypted data using .Net

问题描述

我需要存储的应用程序运行之间的加密数据（一些小的字符串）。我不希望用户每次他（她）启动应用程序提供了一个密码。即毕竟它下降到安全存储加密密钥（S）。

I need to store encrypted data (few small strings) between application runs. I do not want the user to provide a passphrase every time (s)he launches the application. I.e. after all it goes down to storing securely the encryption key(s).

我一直在寻找进入的RSACryptoServiceProvider和使用PersistentKeyInCsp，但我不知道它是如何工作的。是密钥容器应用程序运行或重新启动机器之间的执着？如果是的话，它是用户特定的，或机器具体。即如果我存储在用户的漫游配置我加密数据，我可以解密数据，如果在不同的机器上，用户登录？

I was looking into RSACryptoServiceProvider and using PersistentKeyInCsp, but I'm not sure how it works. Is the key container persistent between application runs or machine restarts? If yes, is it user specific, or machine specific. I.e. if I store my encrypted data in user's roaming profile, can I decrypt the data if the user logs on a different machine?

如果以上不工作，我有哪些选项​​（我需要处理漫游配置文件）。

If the above does not work, what are my options (I need to deal with roaming profiles).

推荐答案

数据保护API（DPAPI）不正是你想要的。它提供了任意的数据的对称加密，使用机器或（更好）的用户的凭证，作为加密密钥。您不必担心管理的关键; Windows会照顾你们。如果用户更改其密码，Windows将使用用户的新密码重新加密的数据。

The Data Protection API (DPAPI) does exactly what you want. It provides symmetric encryption of arbitrary data, using the credentials of the machine or (better) the user, as the encryption key. You don't have to worry about managing the keys; Windows takes care of that for you. If the user changes his password, Windows will re-encrypt the data using the user's new password.

DPAPI暴露在.NET与System.Security.Cryptography.ProtectedData类：

DPAPI is exposed in .NET with the System.Security.Cryptography.ProtectedData class:

byte[] plaintextBytes = GetDataToProtect();
byte[] encodedBytes = ProtectedData.Protect(plaintextBytes, null, DataProtectionScope.CurrentUser);

保护方法的第二个参数是可选的熵字节数组，它可以被用作附加。应用程序特定的秘密

The second parameter of the Protect method is an optional entropy byte array, which can be used as an additional application-specific "secret".

要解密，使用ProtectedData.Unprotect电话：

To decrypt, use the ProtectedData.Unprotect call:

byte[] encodedBytes = GetDataToUnprotect();
byte[] plaintextBytes = ProtectedData.Unprotect(encodedBytes, null, DataProtectionScope.CurrentUser);

DPAPI正常工作与漫游配置文件（如描述的这里），虽然你将需要加密的数据存储在一个地方（网络共享，IsolatedStorage用的 IsolatedStorageScope.Roaming 等）的各种机器可以访问。

DPAPI works correctly with roaming profiles (as described here), though you'll need to store the encrypted data in a place (network share, IsolatedStorage with IsolatedStorageScope.Roaming, etc.) that your various machines can access.

请参阅MSDN中的ProtectedData类以获取更多信息。有一个DPAPI白皮书这里，比你会永远想了解更多信息。

See the ProtectedData class in MSDN for more information. There's a DPAPI white paper here, with more information than you'd ever want.

这篇关于使用的.Net加密数据的持久存储的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！