ProtectStreamAsync | protectStreamAsync method

DataProtectionProvider.ProtectStreamAsync | protectStreamAsync method

Asynchronously protects a data stream.


dataProtectionProvider.protectStreamAsync(src, dest).done( /* Your success and error handlers */ );



Type: IInputStream

Stream to be protected.


Type: IOutputStream

Protected stream.

Return value

Type: IAsyncAction

Represents an asynchronous action.


You must call the DataProtectionProvider(String) constructor before calling this method.

For security descriptors and SDDL strings, you must set the enterprise authentication capability in the manifest. The enterprise authentication capability is restricted to Windows Store apps built with company accounts, and is subject to additional onboarding validation. You should avoid the enterprise authentication capability unless it is absolutely necessary. For more information, see Registering for a Windows Store developer account.

For example, the following SID and SDDL providers require the enterprise authentication capability:

  • "SID=S-1-5-21-4392301 AND SID=S-1-5-21-3101812"
  • "SDDL=O:S-1-5-5-0-290724G:SYD:(A;;CCDC;;;S-1-5-5-0-290724)(A;;DC;;;WD)"

These providers do not require the enterprise authentication capability:

  • "LOCAL=user"
  • "LOCAL=machine"
  • "WEBCREDENTIALS=MyPasswordName"
  • "WEBCREDENTIALS=MyPasswordName,"


The following example shows how to protect stream data.

public async Task<IBuffer> SampleDataProtectionStream(
    String descriptor,
    String strMsg,
    BinaryStringEncoding encoding)
    // Create a DataProtectionProvider object for the specified descriptor.
    DataProtectionProvider Provider = new DataProtectionProvider(descriptor);

    // Convert the input string to a buffer.
    IBuffer buffMsg = CryptographicBuffer.ConvertStringToBinary(strMsg, encoding);

    // Create a random access stream to contain the plaintext message.
    InMemoryRandomAccessStream inputData = new InMemoryRandomAccessStream();

    // Create a random access stream to contain the encrypted message.
    InMemoryRandomAccessStream protectedData = new InMemoryRandomAccessStream();

    // Retrieve an IOutputStream object and fill it with the input (plaintext) data.
    IOutputStream outputStream = inputData.GetOutputStreamAt(0);
    DataWriter writer = new DataWriter(outputStream);
    await writer.StoreAsync();
    await outputStream.FlushAsync();

    // Retrieve an IInputStream object from which you can read the input data.
    IInputStream source = inputData.GetInputStreamAt(0);

    // Retrieve an IOutputStream object and fill it with encrypted data.
    IOutputStream dest = protectedData.GetOutputStreamAt(0);
    await Provider.ProtectStreamAsync(source, dest);
    await dest.FlushAsync();

    //Verify that the protected data does not match the original
    DataReader reader1 = new DataReader(inputData.GetInputStreamAt(0));
    DataReader reader2 = new DataReader(protectedData.GetInputStreamAt(0));
    await reader1.LoadAsync((uint)inputData.Size);
    await reader2.LoadAsync((uint)protectedData.Size);
    IBuffer buffOriginalData = reader1.ReadBuffer((uint)inputData.Size);
    IBuffer buffProtectedData = reader2.ReadBuffer((uint)protectedData.Size);

    if (CryptographicBuffer.Compare(buffOriginalData, buffProtectedData))
        throw new Exception("ProtectStreamAsync returned unprotected data");

    // Return the encrypted data.
    return buffProtectedData;

Requirements (Windows 10 device family)

Device family

Universal, introduced version 10.0.10240.0

API contract

Windows.Foundation.UniversalApiContract, introduced version 1.0


Windows::Security::Cryptography::DataProtection [C++]



Requirements (Windows 8.x and Windows Phone 8.x)

Minimum supported client

Windows 8

Minimum supported server

Windows Server 2012

Minimum supported phone

Windows Phone 8.1 [Windows Runtime apps only]


Windows::Security::Cryptography::DataProtection [C++]



See also




© 2016 Microsoft