The World’s Leading Microsoft .NET Magazine
Sign-In | Register
   
 
Jerry Dixon

Using the Data Protection API in .NET 2.0

« H E .NET :: Security :: Jerry Dixon :: email
posted Friday, 5 May 2006

One of the easiest ways to encrypt your data is to use the Windows Data Protection API (DPAPI).  This API is built into Windows 2000, 2003, and XP, and it provides data encryption capabilities without the headache of securing your encryption keys.   (One of the most common mistakes made with encryption is the improper protection of the keys.)  With the DPAPI, the keys are stored for you by Windows.

In the past, in order to use the DPAPI, you would have to create a .NET wrapper class.  If you are using the 2.0 Framework, however, you no longer need that wrapper class.  Support for the DPAPI is built in.  The new PROTECTEDDATA class provides shared (static) encryption and decryption methods.  Here is some example code:

Encrypt
Private Shared Function EncryptString(ByVal ClearString As String, _
                                                                      ByVal Entropy As String) As String
    Dim ClearBytes As Byte() = Nothing
    Dim EntropyBytes As Byte() = Nothing
    Dim EncryptedBytes As Byte() = Nothing
    Dim EncryptedString As String = String.Empty

    ' get byte array from clear string
    ClearBytes = Encoding.UTF8.GetBytes(ClearString)

    ' get entropy bytes, if not nothing
    If Entropy IsNot Nothing Then
        EntropyBytes = Encoding.UTF8.GetBytes(Entropy)
    End If

    ' get encrypted bytes
    EncryptedBytes = ProtectedData.Protect(ClearBytes, _
                                                                              EntropyBytes, _
                                                                              DataProtectionScope.LocalMachine)

    ' get encrypted string
    EncryptedString = Convert.ToBase64String(EncryptedBytes)

    Return EncryptedString
End Function

Decrypt
Private Shared Function DecryptString(ByVal EncryptedString As String, _
                                                                      ByVal Entropy As String) As String
    Dim ClearBytes As Byte() = Nothing
    Dim ClearString As String = String.Empty
    Dim EntropyBytes As Byte() = Nothing
    Dim EncryptedBytes As Byte() = Nothing

    ' get encrypted bytes
    EncryptedBytes = Convert.FromBase64String(EncryptedString)

    ' get entropy bytes, if not nothing
    If Entropy IsNot Nothing Then
        EntropyBytes = Encoding.UTF8.GetBytes(Entropy)
    End If

    ' get clear bytes
    ClearBytes = ProtectedData.Unprotect(EncryptedBytes, _
                                                                          EntropyBytes, _
                                                                          DataProtectionScope.LocalMachine)

    ' get clear string
    ClearString = Encoding.UTF8.GetString(ClearBytes)

    Return ClearString
End Function

As you can see, most of the code involves converting between strings and byte arrays.  The encryption/decryption itself is quite straightforward. 

One last point:  In order to use the PROTECTEDDATA class, you'll have to set a reference to the System.Security DLL.

 

tags:      

links: digg this    del.icio.us    technorati