Each cryptographic service provider (CSP) has a key database in which it stores persistent cryptographic keys. Each key database contains one or more key containers, each of which contains all the key pairs belonging to a specific user. The following illustration showsthe relationship between CSPs, key databases, and key containers.
The CSP stores each key container from session to session, including all of the public/private key pairs that it contains. However, session keys are not automatically persisted to any permanent storage media.
Generally, a default key container is created for each user. Default key containers have a default name.
An application can create its own key container and key pairs, and assign a name to the key container. A key is created for each user and each machine. For each user, the key container is located in the HKEY_CURRENT_USER\Comm\Security\Crypto registry key. For each machine, the key container is located in the HKEY_LOCAL_MACHINE\Comm\Security\Crypto registry key.
CryptoAPI encrypts the contents of the key container using the CryptProtectData function. Note that all applications can read and decrypt both user and machine keys by calling CryptUnprotectData on the encrypted key contents.