Does ProtectedData work on multiple computers?

Question

I am looking into storing some sensitive data in an application I am working on. I have been looking at the ProtectedData class provided by Microsoft, and it looks pretty straightforward. However, I have a couple of questions regarding how it works.

First, I see that it uses "the user's login credentials" to generate the encryption key. I have seen in the documentation that only the current user will be able to decrypt the data. That is not a problem, I just want to know if the same user is logged in on a different machine, will they be able to decrypt the data? I am planning to have the saved information being shared over OneDrive, so hopefully it would be accessible on any device that the same user is using.

ex:

User A logs in on desktop computer, saves encrypted file abc.txt
User A then logs in on tablet, loads file abc.txt

Is abc.txt accessible to User A on the tablet?

Second, what happens once the user changes their password? It seems to me that the encryption key would then be different, and wouldn't that cause the decryption of the data that used the previous encryption key to no longer be recoverable?

ex:

User A logs in on desktop computer, saves encrypted file abc.txt
User A changes password
User A logs in on desktop computer, loads file abc.txt

Is abc.txt accessible to User A anymore??

Answer 1

Is abc.txt accessible to User A on the tablet?

"For DPAPI to work correctly when it uses roaming profiles, the domain user must only be logged on to a single computer in the domain. If the user wants to log on to a different computer that is in the domain, the user must log off the first computer before the user logs on to the second computer. If the user is logged on to multiple computers at the same time, it is likely that DPAPI will not be able to decrypt existing encrypted data correctly." - http://support.microsoft.com/kb/309408

Is abc.txt accessible to User A anymore? On a single machine, after changing a password the user should still be able to access previously encrypted files. My understanding is previously generated keys are still stored in a list to allow this. (It would be expensive operation to have to decrypt and re-encrypt all previously stored data every time a user changes their password, so instead they just keep the old keys.)

However, there are administrative tools that would allow you to change the password in a way that might break this.

I do not know the affect of changing your password on Machine A would have on Machine B. I would assume the roaming profile would deal with this properly, but that might be an invalid assumption.

I wouldn't store data in DPAPI that is critical without backing it up somewhere. Of course that introduces other security related complexities depending on what the sensitivity of the data is.

Answer 2

The Data Protection API (DPAPI) works correctly with roaming profiles. So this would cover the fact that a user can decrypt the data over a network. Using an IsolationStorage is used to store data that applies across multiple applications and is not tied to any particular application, such as the user's name or license information.

Example to create the isolated roaming store:

using (IsolatedStorageFile isoStore = IsolatedStorageFile.GetStore(IsolatedStorageScope.User | IsolatedStorageScope.Domain | IsolatedStorageScope.Assembly, null, null))
    {
        isoStore.CreateDirectory("TopLevelDirectory");
        isoStore.CreateFile("abc.txt");
    }

Example to get the isolated roaming store:

IsolatedStorageFile isoFile =
IsolatedStorageFile.GetStore(IsolatedStorageScope.User |
    IsolatedStorageScope.Assembly |
    IsolatedStorageScope.Roaming, null, null);