Key Containers: Basics

Hi, welcome back,

Let's talk today a bit about Key Containers in CryptoAPI.

Key containers can be created in user's profile or machine's. User-level key containers can only be used by the user in which profile they've been created, and machine-level key containers can be used by anyone with access to them. Keys are usually in files, so NTFS permissions can be used to restrict access to users. Read this article for more info: Understanding Machine-Level and User-Level RSA Key Containers.

Key containers can be found here by default:

+ User containers:

- Vista:


- Previous Windows:

C:\Documents and Settings\<user_name>\Application Data\Microsoft\Crypto\RSA

+ Machine containers:

- Vista:

C:\Users\All Users\Application Data\Microsoft\Crypto\RSA

- Previous Windows:

C:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA


The following tool can be used to create containers, export/import keys, modify permissions on them, etc.: ASP.NET IIS Registration Tool (Aspnet_regiis.exe).

We could also use Process Monitor to monitor which key containers (files) our app uses to store our keys. We can also use Notepad.exe (or any other text editor) to open those files in Microsoft\Crypto\RSA to see the name of the key container: the first clear text string in that file is the container name.

If we use certificates instead, we can use the following tool to manipulate the permissions on the keys associated to the certs: WinHttpCertCfg.exe, a Certificate Configuration Tool.


I hope this helps.



Alex (Alejandro Campos Magencio)


PS: This info may be useful if we are facing an issue like this: RSACryptoServiceProvider fails when used with ASP.NET. Process Monitor may help us to detect which file (key container) we are trying to access, if we find it or not (is user's profile loaded?), or if we get access denied when trying to access it (does user have permissions to use those keys?).