使用.Net持久存储加密数据 [英] Persistent storage of encrypted data using .Net

问题描述

我需要在应用程序运行之间存储加密数据（几个小字符串）。我不希望用户在每次启动应用程序时提供密码。即毕竟它下降到安全地存储加密密钥。

I need to store encrypted data (few small strings) between application runs. I do not want the user to provide a passphrase every time (s)he launches the application. I.e. after all it goes down to storing securely the encryption key(s).

我正在研究RSACryptoServiceProvider并使用PersistentKeyInCsp，但我不知道它是如何工作的。应用程序运行或机器重新启动之间的密钥容器是否持久？如果是，用户是否具体或特定于机器。即如果我将加密数据存储在用户的漫游配置文件中，如果用户登录不同的机器，我可以解密数据吗？

I was looking into RSACryptoServiceProvider and using PersistentKeyInCsp, but I'm not sure how it works. Is the key container persistent between application runs or machine restarts? If yes, is it user specific, or machine specific. I.e. if I store my encrypted data in user's roaming profile, can I decrypt the data if the user logs on a different machine?

如果上述不起作用，选项（我需要处理漫游配置文件）。

If the above does not work, what are my options (I need to deal with roaming profiles).

推荐答案

数据保护API（DPAPI）完全符合您的要求。它提供任意数据的对称加密，使用机器的凭据或（更好）用户作为加密密钥。你不必担心管理钥匙; Windows为您照顾。如果用户更改了密码，Windows将使用用户的新密码重新加密数据。

The Data Protection API (DPAPI) does exactly what you want. It provides symmetric encryption of arbitrary data, using the credentials of the machine or (better) the user, as the encryption key. You don't have to worry about managing the keys; Windows takes care of that for you. If the user changes his password, Windows will re-encrypt the data using the user's new password.

DPAPI在.NET中暴露于System.Security.Cryptography.ProtectedData class：

DPAPI is exposed in .NET with the System.Security.Cryptography.ProtectedData class:

byte[] plaintextBytes = GetDataToProtect();
byte[] encodedBytes = ProtectedData.Protect(plaintextBytes, null, DataProtectionScope.CurrentUser);

Protect方法的第二个参数是可选的熵字节数组，可用作额外的应用程序特定的秘密。

The second parameter of the Protect method is an optional entropy byte array, which can be used as an additional application-specific "secret".

要解密，请使用ProtectedData.Unprotect调用：

To decrypt, use the ProtectedData.Unprotect call:

byte[] encodedBytes = GetDataToUnprotect();
byte[] plaintextBytes = ProtectedData.Unprotect(encodedBytes, null, DataProtectionScope.CurrentUser);

DPAPI与漫游配置文件正常工作（如这里），尽管您需要将加密数据存储在一个地方（网络共享，IsolatedStorage与 IsolatedStorageScope.Roaming 等。

DPAPI works correctly with roaming profiles (as described here), though you'll need to store the encrypted data in a place (network share, IsolatedStorage with IsolatedStorageScope.Roaming, etc.) that your various machines can access.

有关详细信息，请参阅MSDN中的ProtectedData类。有一个DPAPI白皮书 here ，其中有更多的信息想要。

See the ProtectedData class in MSDN for more information. There's a DPAPI white paper here, with more information than you'd ever want.

这篇关于使用.Net持久存储加密数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！