Equivalent of Data Protection API on Linux

Question

Microsoft Windows 2000 and later versions expose the Data Protection API (DPAPI) that encrypts data for a per-user or per-system context. The caller does not provide a key with which to encrypt the data. Rather, the data is encrypted with a key derived from the user or system credentials.

This API is conveniently exposed in .NET via the ProtectedData class:

// Encrypts the data in a specified byte array and returns a byte array
// that contains the encrypted data.
public static byte[] Protect(
    byte[] userData,
    byte[] optionalEntropy,
    DataProtectionScope scope
)

// Decrypts the data in a specified byte array and returns a byte array
// that contains the decrypted data.
public static byte[] Unprotect(
    byte[] encryptedData,
    byte[] optionalEntropy,
    DataProtectionScope scope
)

Is there an equivalent API on Linux? A bonus would be that it integrates conveniently with Java.

What are my alternatives if there isn't one?

Answer 1

There are two options for user-level key stores on Linux:

• GnomeKeyring
• KWallet

This does not address the need for a system-level key store.

Answer 2

It doesn't look any more (or less) advanced than PGP, or Pretty Good Privacy. There are APIs available for PGP, and the one that I recall others speaking kindly of is Bouncy Castle.

Here's an example of how someone used Bouncy Castle.

Better APIs or solutions may be available, depending on your specific needs.