Master Key Storage
11/30/2006
The Data Protection API (DPAPI) encrypts/decrypts sensitive data, such as a user passwords, using a secret key called the master key. The master keys are 3DES-encrypted using a key derived from the user's password, before they can be stored. Master keys can be stored in a file in the Windows folder or in the system registry. A master key file has a .mky file extension. When a user changes his or her logon password, master keys are automatically unencrypted and re-encrypted using the new password.
The two CryptoAPI functions, CryptProtectData and CryptUnprotectData, make up the Protected Store API.
By default, master keys are stored in files in the file system. They may be stored in the system registry if certain persistent registry implementations need to retain the master keys after losing and regaining power. If a hive-based registry is used, the keys are saved in the same volume as the registry hive.
The following registry keys control the location of the master key files. These registry values should be pre-configured in the OS design because they are only checked on system start up. If a hive-based registry is used, the values should be saved in the boot section of the registry.
To specify the file path for the master keys, set the following registry value to the absolute path of the directory.
[HKEY_LOCAL_MACHINE\init\BootVars]
"MasterKeyFileDir"="\\windows\\"
To activate storage of master keys in the registry instead of as a file in the Windows folder, you must set the following registry value in the run-time image:
[HKEY_LOCAL_MACHINE\init\BootVars]
"MasterKeysInRegistry"=dword:1
If you do not set this key, or if you set this key to 0, the master keys are stored in a file.
Note
It is important to note that if you have the master keys stored in the registry, an unauthorized user may gain access to them more easily.
See Also
Concepts
Registry Operations
Hive-Based Registry Stored in RAM