1

Google-fu is failing me, and I could not find documentation that answers the following question: if an application uses Windows machine key or user key to encrypt certain data, and the encrypted data is still available, but machine becomes inoperable (hard drive failure, erroneously formatted drive, etc.), how can keys be backed up and restored, to be used for disaster recovery?

I understand that it is possible to take an image of such machine and recreate it from image, but I am looking for a solution that is independent of image media. Does such solution exist? I.e. is it possible to take a backup of a Windows machine or user key and re-apply it on a different machine, if the original one is totally lost?

I would imagine that taking such a backup represents a security risk, but ATM I am only concerned about the very possibility of such approach.

user243647
  • 11
  • 2
  • If my memory serves me correct,its not possible to keep a backup and decrypt from said backup of keys,because DPAPI uses environment specific variables,Hence it can only be decrypted in the same environment. – yeah_well Oct 03 '20 at 17:59

2 Answers2

0

This seem to talk about using an alternative location for keys on a file system: Key storage providers in ASP.NET Core It is strange that I could not initially find it, but the result appeared as soon as I dropped 'Microsoft' from the DPAPI search terms.

The linked article must be talking about user keys, unless I am missing something. This would make sense, because, like I presumed, backing up a machine key is a security risk. I am pretty sure I can go from there and base any further encryption on user keys.

I was also interested in the article DPAPI and Roaming Profiles that is linked from Key encryption at rest in Windows and Azure using ASP.NET Core but it throws 404.

A high-level solution seems to be to use a file-system backed user key store and to enable key encryption at rest, making sure that the key encryption key is also backed up somewhere.

user243647
  • 1
0

According to this (outdated, last updated in 2010, but perhaps it is still valid) Microsoft documentation for the DPAPI, the user's Master Key can be backed up. I am not sure if this also applies to the Machine key.

When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a MasterKey is generated, DPAPI talks to a Domain Controller. Domain Controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the Domain Controller public key from a Domain Controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the MasterKey with the Domain Controller public key. It then stores this backup MasterKey along with the MasterKey protected by the user's password.

While unprotecting data, if DPAPI cannot use the MasterKey protected by the user's password, it sends the backup MasterKey to a Domain Controller by using a mutually authenticated and privacy protected RPC call. The Domain Controller then decrypts the MasterKey with its private key and sends it back to the client by using the same protected RPC call. This protected RPC call is used to ensure that no one listening on the network can get the MasterKey.

Now you're probably thinking that this backup works great with domain clients, but you're also wondering what about all the home users who run stand-alone or workgroup systems. Well, Windows XP has a new feature: the Password Reset Disk (PRD). A user can create a PRD from the Control Panel at any time, and it then allows the user to reset their password when they forget it. When the password is reset by the PRD, all of the user's MasterKeys are re-encrypted under the new password.

nobody
  • 11,555
  • 2
  • 43
  • 60