vladimir semenov

Hi,

Does anybody know when DPAPI generates master key the first time? More
specifically, I'm interested in situation if operation system is not
installed on 2 computers but image is restored on their hard drives. Can
these computers read files protected on the either computer by method
CryptoProtectData with CRYPTPROTECT_LOCAL_MACHINE flag?
I know that after several months the master keys are renewed and likely they
will differ, but what about first days?
Is there any way to force DPAPI generate new master key? It looks relatively
safe.

Thank you,
Vladimir.

andrew tucker [msft]

DPAPI will generate the local system master key during the
specialization phase of sysprep. If you are using standard imaging
tools that utilize sysprep you should be fine.

It is possible to ask DPAPI to regenerate this key by calling
CryptProtectData with the CRYPTPROTECT_CRED_REGENERATE flag but you
have to be running as LocalSystem to do it and it can easily cause
data loss since data protected by the previous key can no longer be
decrypted. Be careful if you use it - there be dragons here.

vladimir semenov

Andrew, thank you very much!

I don't not quite understand about "data loss": MSDN article about DPAPI
(http://msdn2.microsoft.com/en-us/library/ms995355.aspx) says that the
previous keys are stored for decrypting the data produced with the previous
versions of master key. Does it concern only "regular" master key refresh?
How many keys versions are stored, is there the limit? Do you know how long
data protected by machine key can be decrypted on this machine and what
could be reasons of losing such possibility: domain migration, computer
renaming etc.?

Thanks,
Vladimir.

paranoidmike

Firstly, let's be more ******** about "data loss":
- if you do nothing before calling CryptProtectData with the
CRYPTPROTECT_CRED_REGENERATE flag, then any data already encrypted in
LocalSystem context WILL be irretrievable
- I'm not familiar with the CRYPTPROTECT_CRED_REGENERATE flag, but I
gather that it wipes out existing keys (DPAPI Master Key, RSA
keypairs) and generates new ones
- unless you do something special beforehand, therefore, all
previously-encrypted data will be encrypted with keys that no longer
exist

MSDN do***ents the much more common behaviours of DPAPI. In fact,
I've never encountered any recommended uses for the
CRYPTPROTECT_CRED_REGENERATE flag before, so I gather that no existing
applications use this flag under any known cir***stances.

Yes, MSDN do***ents "regular" master key refresh, where the older
Master Key is encrypted with the new Master Key, so that all previous
Master Keys are (a) preserved and (b) transparently recoverable (DPAPI
will decrypt as many of the previous Master Keys in the chain as it
needs to be able to decrypt existing RSA private keys).

The only cir***stances under which you should expect to lose the
ability to decrypt "machine-encrypted data" would be if (a) the
machine's profile is wiped out (e.g. reinstall the OS), (b) critical
files where these keys are stored are corrupted (e.g. disk corruption)
or (c) the SYSKEY becomes corrupted or unrecoverable on your system.

Mike

vladimir semenov

Thank you, Mike.

I intended to use CRYPTPROTECT_CRED_REGENERATE on machines incorrectly
cloned from one image (without sysperp). It looks like
CRYPTPROTECT_CRED_REGENERATE will do in this case, but I should be aware to
call it on working system.

Regards,
Vladimir.

vladimir semenov

I've tested this apporach to regenerate keys, it really works!!!!
On w2k3 server even previously decrypted data can be read.

Thank you.