1

I have a number of workstations which are part of my domain, each running some .NET application. One central server stores secrets which I would like to be encrypted by a key which is accessible to all users of the system which have the appropriate user group.

I found that .NET does offer a wrapper for DPAPI, but I was wondering if the same applies for DPAPI-NG, where a wrapper function exists for NCryptProtectSecret and NCreatProtectionDescription. Furthermore, how would I go about configuring the descriptor, so as to only allow a specific user group from my domain to decrypt the secret?

In case there is no wrapper I'd have to import the ncrypt.dll and work with that. Can anyone who has experience with this library confirm that this URL has an up-to-date API https://msdn.microsoft.com/en-us/library/windows/desktop/hh706795(v=vs.85).aspx?

4

1 回答 1

0

我发现.NET 确实为 DPAPI 提供了一个包装器,但我想知道这是否同样适用于 DPAPI-NG,其中 NCryptProtectSecret 存在一个包装器函数

NCryptProtectSecret在referencesource.microsoft.com上没有命中。因此,框架中可能不存在这样的包装 API。

任何对此库有经验的人都可以确认此 URL 具有最新的 API https://msdn.microsoft.com/en-us/library/windows/desktop/hh706795(v=vs.85).aspx ?

Win32 中的函数签名永远不会改变。文档中的散文可能有错误,但几乎从不在 API 表面。确定的最好方法是找到声明它的头文件的副本,但实际上,这通常只有在 a) 引用了命名常量但没有提供值或 b) 你 P/Invoke 并崩溃并且是试图找出原因。

快速搜索显示https://github.com/NuGet/NuGet.Operations/blob/master/src/NuGet.Services.Operations/Secrets/DpapiNg/NativeMethods.cs已 P/Invoked 这些。如果 NuGet 的 Apache 许可证与您的用途/需求兼容,您可以将您的结论与他们的进行比较。

于 2017-06-21T16:05:50.190 回答