dpapi

I need to store and retrieve sensitive data from a local database - this data is used by a web application. In order to protect said data I've opted to make use of the ProtectedData class. The IIS application is running using a specific AD user (Identity property in the Advanced Settings). Everything works fine until I do an IISRESET - at this point, it seems that the identity is changed for the purposes of the ProtectedData class, and I'm left with data I cannot decrypt - I'm getting a Key not valid for use in specified state exception. Here's the code I'm using: static public string Encrypt

For password encryption I want to use ProtectedData . As far as I found out, this is a wrapper for CryptProtectData . The MSDN only states something vague about encryption based on user credentials and that decryption usually must be done on the same machine, if user has no roaming profile. Which encryption algorithm does it use? Is there any analysis that states whether this encryption is suiting for password storage? How else to implement a local password storage? This MSDN article has more information about CryptProtectData and DPAPI , and should contain the information you need. In

So I am trying to store the symmetric key using DPAPI. All is well and great, but what to do with the entropy? This answered question here really doesn't provide enough insight. It seems like a slippery slope - I could use the machine store to store the entropy but then what prevents someone from getting at that as well? Note: I am storing the current key using the User Scope. So my question is - what is the best way to store the entropy using DPAPI? Anything you store locally can be compromised. But there are steps you can take to make it more difficult. There is a document on Handling