How to use DPAPI under load balance environment

Information Security Asked by Robin Xing on August 18, 2020

DPAPI can be used to encrypt the secret data.
We intend to use it in our web app to encrypt some data and store the encrypted data in database. When needed we decrypt the data and present them on UI(web page). It works well if we hosted the web app on a single web server. But the problem appears when we migrate it to a load balance environment – hosting the web app on multiple web server. Because the app cannot decrypt the data which encrypted on another machine.

We refer to some information from internet, it looks like we need to config a roaming user account and run the application pool with that account.

The reason we want to use DPAPI is that it will not involve additional management work on the keys.

Do you have some similar experience, how do you solve the problem? Or some other suggestions?

2 Answers

Eight years later . . . you can try using CNG DPAPI, which was meant to work in cloud environments that may or may not be load-balanced. From that link (in case it gets taken down):

Microsoft introduced the data protection application programming interface (DPAPI) in Windows 2000. The API consists of two functions, CryptProtectData and CryptUnprotectData. DPAPI is part of CryptoAPI and was intended for developers who knew very little about using cryptography. The two functions could be used to encrypt and decrypt static data on a single computer.

Cloud computing, however, often requires that content encrypted on one computer be decrypted on another. Therefore, beginning with Windows 8, Microsoft extended the idea of using a relatively straightforward API to encompass cloud scenarios. This new API, called DPAPI-NG, enables you to securely share secrets (keys, passwords, key material) and messages by protecting them to a set of principals that can be used to unprotect them on different computers after proper authentication and authorization.

In .NET Core this looks like

public void ConfigureServices(IServiceCollection services)

Answered by codeMonkey on August 18, 2020

There are two relatively small changes you should make to your setup.

First of all, you should always be using DPAPI in USER_MODE, this is a parameter to the DPAPI methods.
(The .Protect() methods of ProtectedData and ProtectedMemory classes take an additional scope parameter, this should be set to DataProtectionScope.CurrentUser for ProtectedData, or MemoryProtectionScope.SameLogon for ProtectedMemory, depending on which you are using.) (If you are calling the WINAPI functions directly, which I hope you're not using, you can send the USER_MODE parameter directly too. Oh, and use the .NET classes instead.)

Secondly, you should be using the DPAPI classes to encrypt your encryption key - not the data directly.
In other words, you generate a single encryption key, distribute this to all your servers, and have them store the key via DPAPI. (Yes, you'll probably need a small utility for this.)
This will make any key management processes much easier, the key is shared so decryption is easier, and it is still protected by the DPAPI encryption.

Answered by AviD on August 18, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP