DPAPI and connection string

[Kevin Cunningham]

I am planning on using DPAPI for an asp.net application.
I will configure the app to run under an account I
create. My understaning of DPAPI is that it needs an
login in order to work correctly, i.e. I need to log on
interactivley at least once with the the account. That
sounds dandy. My question is this, if I plan on
configuring the custom account to *not* be able to logon
interactively (via the local policy) will that nix the
ability to use DPAPI??

TIA, kevin

[Steve Jansen]

Kevin,

From
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp[/url]

a.. DPAPI can work with either the machine store or user store (which
requires a loaded user profile). DPAPI defaults to the user store, although
you can specify that the machine store be used by passing the
CRYPTPROTECT_LOCAL_MACHINE flag to the DPAPI functions.
a.. The user profile approach affords an additional layer of security
because it limits who can access the secret. Only the user who encrypts the
data can decrypt the data. However, use of the user profile requires
additional development effort when DPAPI is used from an ASP.NET Web
application because you need to take explicit steps to load and unload a
user profile (ASP.NET does not automatically load a user profile).
a.. The machine store approach (adopted in this How To) is easier to develop
because it does not require user profile management. However, unless an
additional entropy parameter is used, it is less secure because any user on
the computer can decrypt data. (Entropy is a random value designed to make
deciphering the secret more difficult.) The problem with using an additional
entropy parameter is that this must be securely stored by the application,
which presents another key management issue.
Note If you use DPAPI with the machine store, the encrypted string is
specific to a given computer and therefore you must generate the encrypted
data on every computer. Do not copy the encrypted data across computers in a
farm or cluster.
So, in theory, you never need to logon with the account if you use the
machine store. Of course, your application should then safely store an
entropy (salt) value to help protect it from other DPAPI applications with
access to the machine store.

-Steve Jansen

"Kevin Cunningham" <anonymous@discussions.microsoft.com> wrote in message
news:2ccbd01c39409$b9d338f0$a601280a@phx.gbl...

> I am planning on using DPAPI for an asp.net application.
> I will configure the app to run under an account I
> create. My understaning of DPAPI is that it needs an
> login in order to work correctly, i.e. I need to log on
> interactivley at least once with the the account. That
> sounds dandy. My question is this, if I plan on
> configuring the custom account to *not* be able to logon
> interactively (via the local policy) will that nix the
> ability to use DPAPI??
>
> TIA, kevin