This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 20%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
NCryptCreatePersistedKey has ability to set properties on the key. I have tested with UI settings for prompting for Allow/Deny. Also I have seen UI settings for PIN/Password. But I simply want the ability for a user to validate themselves like UAC before accessing a key. Is there a way to do something like this?
The purpose of this authorization is because a key created with the application for a specific purpose using Platform Crypto Provider (TPM) can still be accessed if the user happens to have another application running with with their user SID or anyone who sits down at the computer while someone is away from it could in fact simply access the key.
Obviously a PIN would protect against that, but that requires memory of a PIN/Password. If a person is already enrolled in Windows Hello they could just validate their own login to use a key.
Is this possible with some NCrypt key property that I can't find?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 34%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXY%3C/text%3E%3C/svg%3E)
As far as key is concerned, it should be tied with its PIN/Password. However, you can implement a custom Key Storage Provider to get the feature.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 36%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMW%3C/text%3E%3C/svg%3E)
@Xiaopo Yang - MSFT
Per the documentation, setting PIN/Password is done using NCRYPT_UI_PROTECT_KEY_FLAG. Windows provides a prompt to the use the key on creation then on use. Is it possible to have the application "intercept" that prompt and set the PIN/password then enter it on use.
Further, when using the Platform Provider (TPM), is the PIN/Password provided during the create operation later enforced by the CNG library or is this passed to the TPM as a TPM Authorization value and enforced by the TPM itself?
I'm not sure whether I understood. But you can Set the pin property on the key programmatically.
CNG supports a wide range of hardware storage devices and according to How Windows uses the Trusted Platform Module, Keys that a TPM protects can require an authorization value such as a PIN.
@Monty Wiseman Any Update?