Data Protection API Scope: LocalMachine & CurrentUser

Question

We have an application that encrypts/decrypts data as DataProtectionScope.LocalMachine. We're now having to change the scope to DataProtectionScope.CurrentUser.

Will the existing strings encrypted under the LocalMachine scope still be readable when the scope is changed to CurrentUser, assuming of course the user is logged into the same machine?

EDIT: I've written a very quick & dirty test application. Strangely, on the same computer I can decrypt a string encrypted under LocalMachine or CurrentUser scope by both LocalMachine & CurrentUser scopes. This doesn't sound like the correct behaviour, help!

    private void btnUserEncrypt_Click(object sender, EventArgs e)
    {
        //encrypt data
        var data = Encoding.Unicode.GetBytes(txtUserEncrypt.Text);
        byte[] encrypted = ProtectedData.Protect(data, null, DataProtectionScope.CurrentUser);

        txtUserEncrypt.Text = Convert.ToBase64String(encrypted);
    }

    private void btnUserDecrypt_Click(object sender, EventArgs e)
    {
        byte[] data = Convert.FromBase64String(txtUserDecrypt.Text);

        //decrypt data
        byte[] decrypted = ProtectedData.Unprotect(data, null, DataProtectionScope.CurrentUser);
        txtUserDecrypt.Text = Encoding.Unicode.GetString(decrypted);
    }

    private void btnMachineEncrypt_Click(object sender, EventArgs e)
    {
        //encrypt data
        var data = Encoding.Unicode.GetBytes(txtMachineEncrypt.Text);
        byte[] encrypted = ProtectedData.Protect(data, null, DataProtectionScope.LocalMachine);

        txtMachineEncrypt.Text = Convert.ToBase64String(encrypted);
    }

    private void btnMachineDecrypt_Click(object sender, EventArgs e)
    {
        byte[] data = Convert.FromBase64String(txtMachineDecrypt.Text);

        //decrypt data
        byte[] decrypted = ProtectedData.Unprotect(data, null, DataProtectionScope.LocalMachine);
        txtMachineDecrypt.Text = Encoding.Unicode.GetString(decrypted);
    }

Answer 1

When you decrypt DPAPI-encrypted data, data protection scope is ignored.

DPAPI decryption routine checks metadata in the encrypted blob to see which scope was used for encryption and uses the same scope for decryption regardless of the scope you specify. So, if you encrypt data using machine scope, but then decrypt it "using" user scope (on the same machine), it will work because it will still use machine scope for decryption. If you want to verify, try moving data encrypted with machine scope to a different system and decrypting it using the same user account. You will see that this will fail. Or you can try to decrypt these data while being logged under a different account (in which case, it will work, too).

So, the answer to your question is: yes, if you encrypt data using DPAPI with machine scope and try to decrypt it passing user scope (on the same machine), it will work, but only because it will ignore the user scope during decryption.