ProtectedData Class
Provides methods for encrypting and decrypting data. This class cannot be inherited.
Assembly: System.Security (in System.Security.dll)
The ProtectedData type exposes the following members.
This class provides access to the Data Protection API (DPAPI) available in Microsoft Windows 2000 and later operating systems. This is a service that is provided by the operating system and does not require additional libraries. It provides protection using the user or machine credentials to encrypt or decrypt data.
The class consists of two wrappers for the unmanaged DPAPI, Protect and Unprotect. These two methods can be used to encrypt and decrypt data such as passwords, keys, and connection strings.
If you use these methods during impersonation, you may receive the following error: "Key not valid for use in specified state." This occurs because the DPAPI stores the key data in user profiles. If the profile is not loaded, DPAPI won’t be able to perform the decryption. To prevent this error, load the profile of the user you want to impersonate before calling either method. Using DPAPI with impersonation can incur significant complication and requires careful design choices.
Note |
|---|
The HostProtectionAttribute attribute applied to this type or member has the following Resources property value: MayLeakOnAbort. The HostProtectionAttribute does not affect desktop applications (which are typically started by double-clicking an icon, typing a command, or entering a URL in a browser). For more information, see the HostProtectionAttribute class or SQL Server Programming and Host Protection Attributes. |
| Topic | Location |
|---|---|
| How to: Use Data Protection | .NET Framework: Security |
| How to: Use Data Protection | .NET Framework: Security |
The following example shows how to use data protection.
#using <System.Security.dll> using namespace System; using namespace System::Security::Cryptography; public ref class DataProtectionSample { private: // Create byte array for additional entropy when using Protect method. static array<Byte>^s_aditionalEntropy = {9,8,7,6,5}; public: static void Main() { // Create a simple byte array containing data to be encrypted. array<Byte>^secret = {0,1,2,3,4,1,2,3,4}; //Encrypt the data. array<Byte>^encryptedSecret = Protect( secret ); Console::WriteLine( "The encrypted byte array is:" ); PrintValues( encryptedSecret ); // Decrypt the data and store in a byte array. array<Byte>^originalData = Unprotect( encryptedSecret ); Console::WriteLine( "{0}The original data is:", Environment::NewLine ); PrintValues( originalData ); } static array<Byte>^ Protect( array<Byte>^data ) { try { // Encrypt the data using DataProtectionScope.CurrentUser. The result can be decrypted // only by the same current user. return ProtectedData::Protect( data, s_aditionalEntropy, DataProtectionScope::CurrentUser ); } catch ( CryptographicException^ e ) { Console::WriteLine( "Data was not encrypted. An error occurred." ); Console::WriteLine( e ); return nullptr; } } static array<Byte>^ Unprotect( array<Byte>^data ) { try { //Decrypt the data using DataProtectionScope.CurrentUser. return ProtectedData::Unprotect( data, s_aditionalEntropy, DataProtectionScope::CurrentUser ); } catch ( CryptographicException^ e ) { Console::WriteLine( "Data was not decrypted. An error occurred." ); Console::WriteLine( e ); return nullptr; } } static void PrintValues( array<Byte>^myArr ) { System::Collections::IEnumerator^ myEnum = myArr->GetEnumerator(); while ( myEnum->MoveNext() ) { Byte i = safe_cast<Byte>(myEnum->Current); Console::Write( "\t{0}", i ); } Console::WriteLine(); } }; int main() { DataProtectionSample::Main(); }
Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2
The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.
