在C＃中的数据加密和密钥管理 [英] data encryption and key management in c#

问题描述

哪条路线采取，什么利弊，这是更安全的。

Which route to take, whats the pros and cons, which is more secure..

1）生成AES密钥，加密与它的数据，然后加密与RSA AES密钥，保存加密数据和加密AES密钥文件和RSA密钥对一个KEYCONTAINER。

1) Generate AES key, encrypt the data with it and then encrypt the AES key with RSA, save the encrypted data and encrypted AES key to a file and RSA keypair to a KeyContainer.

2），或使用DPAPI ProtectedData类对数据进行加密和它保存到一个文件，然后保存我与 ProtectedData.Protect（）来的地方使用的熵。（也许allso与RSA加密，存储RSA密钥来？KEYCONTAINER和加密的熵与数据的文件）

2) Or use DPAPI ProtectedData class to encrypt the data and save it to a file and then store the entropy what i used with ProtectedData.Protect() to somewhere.. (maybe allso encrypt it with the RSA, store the RSA keypair to KeyContainer and the encrypted entropy to the file with the data?)

编辑：只是为了更多的信息：我们需要确保我们的应用程序文件系统的使用方法。因此，任何文件的应用程序商店，我们希望它被加密的文件系统。该文件很可能是由同一个应用程序或同一应用程序栈的另一个组成部分使用。

Just for more info: We need to secure our applications file system usages. So any file the application stores to the filesystem we want it to be encrypted. The file is most likely used by the same application or another component of the same application stack.

推荐答案

如果你正在寻找一个加密方案来保护本地应用程序数据，那么你的API的选择取决于您是否需要共享运行同一应用的不同服务器之间的加密数据。

If you are looking for an encryption scheme to protect local application data, then your choice of API depends on if you would need to share the encrypted data between different servers running the same application.

如果只有一个服务器需要访问数据，然后DPAPI应该是足够好您的目的。安全性是由用户的凭据，而在这种情况下会运行你的应用程序堆栈的凭据提供。所以，这不是对单独最终用户凭证依赖可以提供额外的熵（或盐）硬编码到应用程序中，以增加安全性。它是实现简单，你不需要处理导出/导入密钥。

If only one server would need access to the data, then DPAPI should be good enough for your purposes. The security is provided by the user's credentials, which in this context will be the credentials running your application stack. You can provide an additional entropy (or 'salt') hardcoded into your application to increase the security so that it is not reliant on the end user credentials alone. It is simple to implement and you don't need to deal with exporting/importing keys.

如果多台服务器需要访问同一个文件/数据，那么RSA密钥容器方法更好。相同的密钥可以被导出到多个服务器，它们可以共享相同的加密文件。该键也可以备份恢复的目的。你不必与DPAPI这样的选择。

If multiple servers would need to access the same files / data, then the RSA Key Container method is better. The same key can be exported to multiple servers and they can share the same encrypted files. The key can also be backed up for recovery purposes. You don't have such an option with DPAPI.

在一个方法的安全性并不比其他更好的，因为它们使用类似的方案和两个密钥到底与用户凭据保护。 DPAPI使用凭证，以确保它使用了和Windows将使用的凭据，以及控制访问RSA密钥容器内部的RSA密钥。

The security in one method is not better than the other, as they use similar schemes and both keys are in the end protected with the user credentials. DPAPI uses credentials to secure the internal RSA keys it uses and Windows will control access to RSA Key Containers by using the credentials as well.

这篇关于在C＃中的数据加密和密钥管理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！