对文件使用ProtectedData.Protect（）

Question

I'm working on some code that ideally can encrypt a file using the Windows DPAPI. This is fine if the file can be read directly into memory, but if it can't I cannot encrypt it. ProtectedData.Protect takes 3 arguments - the data as a byte array, optional entropy as a byte array, and a scope.

When I use it as below, it yields 2 different results:

var data = new byte[]{1, 2, 3, 4, 5, 6, 7, 8};

byte[] encryptedDataA = ProtectedData.Protect(data, null, DataProtectionScope.CurrentUser);

byte[] encryptedDataB = ProtectedData.Protect(data, null, DataProtectionScope.CurrentUser);

Console.WriteLine(encryptedDataA.SequenceEqual(encryptedDataB));

// False!!!!

Specifying identical entropy also results in different results. Here is an MSDN answer corroborating this. However, there is no documentation I can find detailing the header or how to read it.

As there are no overloads taking it as anything but a byte[] , I can't find anyway of fixing this to allow for encryption of large files without ugly chunking of the data.

Is there any way to work around this?

Answer 1

If you look at the source code for ProtectedData.Protect , you will find that at some point it redirects the call to the Crypt32 library: CryptProtectData function .

In the Remarks section, you will see:

The function creates a session key to perform the encryption. The session key is derived again when the data is to be decrypted.

This, to me, it reads like a new key is generated every time the function is called.

So, if you need to get the same value every time, you'd be better off using AES instead.