1 Introduction

The BackupKey Remote Protocol is used by clients to encrypt and decrypt sensitive data (such as cryptographic keys) with the help of a server. Data encrypted using this protocol can be decrypted only by the server, and the client can safely write such encrypted data to storage that is not specially protected. In Windows, this protocol is used to provide encryption of user secrets through the Data Protection Application Program Interface (DPAPI) in an Active Directory Domain.

Familiarity with cryptography and Public Key Infrastructure (PKI) concepts (such as asymmetric and symmetric cryptography, digital certificate concepts, and cryptographic key exchange) is required for a complete understanding of this specification. For more information about cryptography and PKI concepts, see [CRYPTO].

Sections 1.5, 1.8, 1.9, 2, and 3 of this specification are normative. All other sections and examples in this specification are informative.