[英]Where should a Windows service, running as Local System, store a private key in the file system?
I need to generate and store a sensitive file (assume that it is not a traditional PKCS format) private key and keep it accessible to the running service. 我需要生成并存储一个敏感文件(假设它不是传统的PKCS格式)私钥,并使运行的服务可以访问它。
Normally, when running as a service account (AD User), I would store the file under the user's profile, and then let standard Windows security handle this. 通常,当以服务帐户(AD用户)身份运行时,我会将文件存储在用户的配置文件下,然后让标准Windows安全处理此问题。
Outside of the CryptoAPI, where in the file system should I store this private key? 在CryptoAPI之外,我应该将该私钥存储在文件系统中的什么位置?
Using DPAPI, you can either use current user credentials or either the LocalMachine 'creds'. 使用DPAPI,您既可以使用当前用户凭据,也可以使用LocalMachine“信条”。
LocalMachine will make all users on the computer able to Unprotect the data (still a solution though... if you trust every user on this computer). LocalMachine将使计算机上的所有用户都能够取消保护数据(不过,如果您信任此计算机上的每个用户,这仍然是解决方案)。
Or, you can use impersonation to get the current user & do your stuff. 或者,您可以使用模拟来获取当前用户并做您的工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.