Microsoft introduced the data protection application programming interface (DPAPI) in Windows. The API consists of two functions, CryptProtectData and CryptUnprotectData. DPAPI is part of CryptoAPI and was intended for developers who knew very little about using cryptography. The two functions could be used to encrypt and decrypt static data on a single computer.
Cloud computing, however, often requires that content encrypted on one computer be decrypted on another. Therefore, beginning with Windows 8, Microsoft extended the idea of using a relatively straightforward API to encompass cloud scenarios. This new API, called DPAPI-NG, enables you to securely share secrets (keys, passwords, key material) and messages by protecting them to a set of principals that can be used to remove protection from them on different computers after proper authentication and authorization. The following principals are currently supported:
- A group in an Active Directory forest.
- Web credentials.
For more information, see the following topics:
- Protection Providers
- Protection Descriptors
- Protected Data Format
- DPAPI backup keys on Active Directory domain controllers
DPAPI-NG is built on top of Cryptography Next Generation (CNG) and includes the following functions: