16

So I am trying to utilize the Unprotect method in the System.Security.Cryptography.ProtectedData object and keep getting the exception: 

cryptographicexception key not valid for use in specified state

I think it has to do with the DataProtectionScope (but I am not 100%).

This method works if I am logged in and run an service executable in DEBUG mode which means to me, it would be running under the "currentuser". However, if I try to run the actual windows service, which runs under the LocalSystem account, it fails throwing the previous mentioned exception.

Method:

ProtectedData.Unprotect(Byte[] byteArray, <some_password_salt>, DataProtectionScope.CurrentUser)

The DataProtectionScope Enum, only has CurrentUser or LocalMachine as your options. I am not sure what would be the best option for resolving this.

I have tried setting it to DataProtectionScope.LocalMachine which according to the MSDN article, any process running on the machine should be able to unprotect data. But doesn't.

Improve this question

1 Answer 1

Reset to default
26

The Data protection API uses a key generated for each user. It is a symmetric encryption scheme, which means that data encrypted for a user cannot be decrypted by another user. It cannot be decrypted by the same user on a different machine either.

That leaves you with two options :

  • Encrypt and decrypt the data with code running under the same account on the same machine
  • Use the CRYPTPROTECT_LOCAL_MACHINE flag to use the machine key, not the user's

Either way, encryption and decryption must be done the same way. For example, use the local machine flag when encrypting and decrypting.

Improve this answer
5
  • Yes, I found two problems when I tried to originally use that flag. After rectifying both, I was able to use the LocalMachine flag to work.
    – pghtech
    Commented Jul 6, 2011 at 12:42
  • 3
    Very helpful - in my case, I was trying to run code I'd grabbed from a different project. It was using LocalMachine already, but I was encrypting on one machine and decrypting on a different one.
    – neminem
    Commented Apr 1, 2016 at 20:54
  • But this does not cover a roaming profile's scenario where users typically use different machines to log on. Any load balancer, citrix server farm, whatever, breaks this. Usable only in single-machine scenarios
    – Grisgram
    Commented Jul 23, 2019 at 7:32
  • IIRC the DPAPI key is (or can be put) in the roaming profile. Computers don't have roaming profiles, so you must implement some kind of "encrypt on first read" feature in the application if you go with option 2 above. Maybe a tool that queries for the security sensitive data and provide you with the encrypted version of it to save somewhere.
    – ixe013
    Commented Jul 24, 2019 at 3:22
  • 1
    If you are decrypting with current user, and have recently changed passwords it will fail. The "Api" listed above is a good read.
    – joe blogs
    Commented Apr 17, 2023 at 21:02

Not the answer you're looking for? Browse other questions tagged or ask your own question.