问题描述

DPAPI有两个功能： CryptUnprotectData 和 CryptProtectData 。

我读了他们通过使用该功能使用用户的登录凭据创建的会话密钥进行加密或解密。这是否意味着我不需要在任何地方存储这个密钥，当我想要加密或解密数据时，它们将被创建？

另外我发现要记住的一个重要的一点是，DPAPI只对数据应用加密保护。它不存储任何受保护的数据;因此，调用DPAPI的应用程序必须实现自己的受保护数据存储。这是关于密钥还是文件加密的？

DPAPI has 2 functions: CryptUnprotectDataand CryptProtectData.
I read They do the encryption or decryption by using a session key that the function creates by using the user's logon credentials. Does that mean that I do not need store this key anywhere and they will created when I want encrypt or decrypt data?
Also I found An important point to remember is that DPAPI merely applies cryptographic protection to the data. It does not store any of the protected data; therefore applications calling DPAPI must implement their own storage of the protected data. Is this about the key or a file what was encrypted?

推荐答案

上述功能使用特定于登录用户的密钥。因此，您不需要存储密钥。但是，这些功能仅用于数据转换，而不用于数据存储。这意味着您可以随时随地存储加密的数据块 - CryptProtectData不会为您执行此操作。

The mentioned functions use the key specific to the logged in user. Thus you don't need to store the key. However, these functions are merely for data transformation and not for data storage. This means that it's your job to store encrypted data chunk wherever you want - the CryptProtectData won't do this for you.