DpapiDataProtector Class

.NET Framework (current version)

The .NET API Reference documentation has a new home. Visit the .NET API Browser on docs.microsoft.com to see the new experience.

Provides simple data protection methods.

Namespace:   System.Security.Cryptography
Assembly:  System.Security (in System.Security.dll)


public sealed class DpapiDataProtector : DataProtector

System_CAPS_pubmethodDpapiDataProtector(String, String, String[])

Creates a new instance of the DpapiDataProtector class by using the specified application name, primary purpose, and specific purposes.


Gets or sets the scope of the data protection.


Determines whether the specified object is equal to the current object.(Inherited from Object.)


Serves as the default hash function. (Inherited from Object.)


Gets the Type of the current instance.(Inherited from Object.)


Determines if the data must be re-encrypted.(Overrides DataProtector.IsReprotectRequired(Byte[]).)


Protects the specified user data.(Inherited from DataProtector.)


Returns a string that represents the current object.(Inherited from Object.)


Unprotects the specified protected data.(Inherited from DataProtector.)

The DpapiDataProtector class provides a structured way to protect data by using the ProtectedData class. The class constructor has purpose parameters that serve like a password to identify the protected data. All three parameters are hashed and included as part of the encrypted data string. You must know the purpose parameters to unprotect the data. The ProtectedData.Protect method that is called to encrypt the data has an optionalEntropy parameter that allows you to add qualifying information to encrypt the data more securely. The hash of the purpose parameters is used for optional entropy. Because you do not need a key to decrypt the data, carefully choosing the purpose data adds another level of security to data protection.

If you use a Scope setting of CurrentUser, only a user with logon credentials that match those of the user who encrypted the data can decrypt the data. In addition, decryption usually can be done only on the computer where the data was encrypted. The Windows function that encrypts the data creates a session key to perform the encryption. The session key is derived again when the data is to be decrypted. For a detailed description of how data is protected by using session keys, see Windows Data Protection.

If you use a Scope setting of LocalMachine when protecting the data and do not carefully identify the purpose parameters, any other application on that computer that knows the purposes can access and unprotect the data.

.NET Framework
Available since 4.5

Any public static ( Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Return to top