Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

DataProtectionScope.CurrentUser encryption does not seem to work across machines

I'm trying to encrypt and decrypt some text file data using .NET's ProtectedData.Protect method. I'd like to be able to encrypt the text (and save it to a file) on one machine and decrypt the text on a different machine. The machines are both in the same domain and both running the same service under the same username so I thought using DataProtectionScope.CurrentUser would allow either service to encrypt and decrypt the file.

When service number two tries to decrypt the file, it throws a "key not valid for use in specified state". Other sites suggest that this kind of problem occurs when impersonation is not done correctly, but there is no impersonation. Both services run under the same AD account. It looks to me like the services are using different keys to encrypt the data but I don't know why this would happen as they are running under the same account.

Has anyone else encountered this kind of issue?

The code I'm using to encrypt and decypt is basically:

byte[] bytes = Encoding.Unicode.GetBytes(password); 
byte[] protectedPassword = ProtectedData.Protect(bytes, null, DataProtectionScope.CurrentUser); 
return Convert.ToBase64String(protectedPassword); //then I write this to a file

Thanks!

like image 706
Carolyn Avatar asked Jun 28 '10 18:06

Carolyn


1 Answers

The user must have a Roaming Profile.

In the documentation for the Windows API underneath the DPAPI function, CryptProtectData function, there is this comment:

... decryption usually can only be done on the computer where the data was encrypted. However, a user with a roaming profile can decrypt the data from another computer on the network.

like image 194
umbyersw Avatar answered Sep 24 '22 15:09

umbyersw