Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

DpapiDataProtector Class

.NET Framework 4.6 and 4.5

Provides simple data protection methods.


Namespace:  System.Security.Cryptography
Assembly:  System.Security (in System.Security.dll)

public sealed class DpapiDataProtector : DataProtector

The DpapiDataProtector type exposes the following members.

Public methodDpapiDataProtectorCreates a new instance of the DpapiDataProtector class by using the specified application name, primary purpose, and specific purposes.

Public propertyScopeGets or sets the scope of the data protection.

Public methodEquals(Object)Determines whether the specified object is equal to the current object. (Inherited from Object.)
Public methodGetHashCodeServes as the default hash function. (Inherited from Object.)
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Public methodIsReprotectRequiredDetermines if the data must be re-encrypted. (Overrides DataProtector.IsReprotectRequired(Byte[]).)
Public methodProtectProtects the specified user data. (Inherited from DataProtector.)
Public methodToStringReturns a string that represents the current object. (Inherited from Object.)
Public methodUnprotectUnprotects the specified protected data. (Inherited from DataProtector.)

The DpapiDataProtector class provides a structured way to protect data by using the ProtectedData class. The class constructor has purpose parameters that serve like a password to identify the protected data. All three parameters are hashed and included as part of the encrypted data string. You must know the purpose parameters to unprotect the data. The ProtectedData.Protect method that is called to encrypt the data has an optionalEntropy parameter that allows you to add qualifying information to encrypt the data more securely. The hash of the purpose parameters is used for optional entropy. Because you do not need a key to decrypt the data, carefully choosing the purpose data adds another level of security to data protection.

If you use a Scope setting of CurrentUser, only a user with logon credentials that match those of the user who encrypted the data can decrypt the data. In addition, decryption usually can be done only on the computer where the data was encrypted. The Windows function that encrypts the data creates a session key to perform the encryption. The session key is derived again when the data is to be decrypted. For a detailed description of how data is protected by using session keys, see Windows Data Protection.

If you use a Scope setting of LocalMachine when protecting the data and do not carefully identify the purpose parameters, any other application on that computer that knows the purposes can access and unprotect the data.

.NET Framework

Supported in: 4.6, 4.5

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
© 2015 Microsoft